Notice and Consent as cornerstone of privacy law
The privacy notice, which is the primary subject of this article, conveys all pertinent information, including risks and benefits to the participant, and in the possession of such knowledge, they can make an informed choice about whether to participate or not.

Most modern laws and data privacy principles seek to focus on individual control. In this context, the definition by the late Alan Westin, former Professor of Public Law & Government Emeritus, Columbia University, which characterises privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other," ^[1] is most apt. The idea of privacy as control is what finds articulation in data protection policies across jurisdictions beginning from the Fair Information Practice Principles (FIPP) from the United States. ^[2] Paul Schwarz, the Jefferson E. Peyser Professor at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology, called the FIPP the building blocks of modern information privacy law. ^[3] These principles trace their history to a report called 'Records, Computers and Rights of Citizens'^[4] prepared by an Advisory Committee appointed by the US Department of Health, Education and Welfare in 1973 in response to the increasing automation in data systems containing information about individuals. The Committee's mandate was to "explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number."^[5] The most important legacy of this report was the articulation of five principles which would not only play a significant role in the privacy laws in US but also inform data protection law in most privacy regimes internationally^[6] like the OECD Privacy Guidelines, the EU Data Protection Principles, the FTC Privacy Principles, APEC Framework or the nine National Privacy Principles articulated by the Justice A P Shah Committee Report which are reflected in the Privacy Bill, 2014 in India. Fred Cate, the C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, effectively summarises the import of all of these privacy regimes as follows:

"All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals' expressed preferences"^[7]

This makes the individual empowered and allows them to weigh their own interests in exercising their consent. The allure of this paradigm is that in one elegant stroke, it seeks to "ensure that consent is informed and free and thereby also to implement an acceptable tradeoff between privacy and competing concerns."^[8] This system was originally intended to be only one of the multiple ways in data processing would be governed, along with other substantive principles such as data quality, however, it soon became the dominant and often the only mechanism.^[9] In recent years however, the emergence of Big Data and the nascent development of the Internet of Things has led many commentators to begin questioning the workability of consent as a principle of privacy. ^[10] In this article we will look closely at the some of issues with the concept of informed consent, and how these notions have become more acute in recent years. Following an analysis of these issues, we will conclude by arguing that today consent, as the cornerstone of privacy law, may in fact be thought of as counter-productive and that a rethinking of a principle based approach to privacy may be necessary.

Problems with Consent

To a certain extent, there are some cognitive problems that have always existed with the issue of informed consent such as long and difficult to understand privacy notices,^[11] although, in recent past with these problems have become much more aggravated. Fred Cate points out that FIPPs at their inception were broad principles which included both substantive and procedural aspects. However, as they were translated into national laws, the emphasis remained on the procedural aspect of notice and consent. From the idea of individual or societal welfare as the goals of privacy, the focus had shifted to individual control.^[12] With data collection occurring with every use of online services, and complex data sets being created, it is humanly impossible to exercise rational decision-making about the choice to allow someone to use our personal data. The thrust of Big Data technologies is that the value of data resides not in its primary purposes but in its numerous secondary purposes where data is re-used many times over. ^[13] In that sense, the very idea of Big Data conflicts with the data minimization principle.^[14] The idea is to retain as much data as possible for secondary uses. Since, these secondary uses are, by their nature, unanticipated, its runs counter to the the very idea of the purpose limitation principle. ^[15] The notice and consent requirement has simply led to a proliferation of long and complex privacy notices which are seldom read and even more rarely understood. We will articulate some issues with privacy notices which have always existed, and have only become more exacerbated in the context of Big Data and the Internet of Things.

1. Failure to read/access privacy notices

The notice and consent principle relies on the ability of the individual to make an informed choice after reading the privacy notice. The purpose of a privacy notice is to act as a public announcement of the internal practices on collection, processing, retention and sharing of information and make the user aware of the same.^[16] However, in order to do so the individual must first be able to access the privacy notices in an intelligible format and read them. Privacy notices come in various forms, ranging from documents posted as privacy policies on a website, to click through notices in a mobile app, to signs posted in public spaces informing about the presence of CCTV cameras. ^[17]

In order for the principle of notice and consent to work, the privacy notices need to be made available in a language understood by the user. As per estimates, about 840 million people (11% of the world population) can speak or understand English. However, most privacy notices online are not available in the local language in different regions.^[18] Further, with the ubiquity of smartphones and advent of Internet of Things, constrained interfaces on mobile screens and wearables make the privacy notices extremely difficult to read. It must be remembered that privacy notices often run into several pages, and smaller screens effectively ensure that most users do not read through them. Further, connected wearable devices often have "little or no interfaces that readily permit choices." ^[19] As more and more devices are connected, this problem will only get more pronounced. Imagine in a world where refrigerators act as the intermediary disclosing information to your doctor or supermarket, at what point does the data subject step in and exercise consent.^[20]

Another aspect that needs to be understood is that unlike earlier when data collectors were far and few in between, the user could theoretically make a rational choice taking into account the purpose of data collection. However, in the world of Big Data, consent often needs to be provided while the user is trying to access services. In that context click through privacy notices such as those required to access online application, are treated simply as an impediment that must be crossed in order to get access to services. The fact that the consent need to be given in real time almost always results in disregarding what the privacy notices say.^[21]

Finally, some scholars have argued that while individual control over data may be appealing in theory, it merely gives an illusion of enhanced privacy but not the reality of meaningful choice.^[22] Research demonstrates that the presence of the term 'privacy policy' leads people to the false assumption that if a company has a privacy policy in place, it automatically means presence of substantive and responsible limits on how data is handled.^[23] Joseph Turow, the Robert Lewis Shayon Professor of Communication at the Annenberg School for Communication, and his team for example has demonstrated how "[w]hen consumers see the term 'privacy policy,' they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information."^[24] In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. Most people tend to ignore privacy policies.^[25] Cass Sunstein states that our cognitive capacity to make choices and take decisions is limited. When faced with an overwhelming number of choices to make, most of us do not read privacy notices and resort to default options.[26] The requirement to make choices, sometimes several times in a day, imposes significant burden on the consumers as well the business seeking such consent. ^[27]

2. Failure to understand privacy notices

FTC chairperson Edith Ramirez stated: "In my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice."^[28] Privacy notices often come in the form of long legal documents much to the detriment of the readers' ability to understand them. These policies are "long, complicated, full of jargon and change frequently."^[29] Kent walker list five problems that privacy notices typically suffer from - a) overkill - long and repetitive text in small print, b) irrelevance - describing situations of little concern to most consumers, c) opacity - broad terms the reflect the truth that is impossible to track and control all the information collected and stored, d) non-comparability - simplification required to achieve comparability will lead to compromising accuracy, and e) inflexibility - failure to keep pace with new business models.^[30] Erik Sherman did a review of twenty three corporate privacy notices and mapped them against three indices which give approximate level of education necessary to understand text on a first read. His results show that most of policies can only be understood on the first read by people of a grade level of 15 or above. ^[31] FTC Chairperson Timothy Muris summed up the problem with long privacy notices when he said, "Acres of trees died to produce a blizzard of barely comprehensible privacy notices." ^[32]

Margaret Jane Radin, the former Henry King Ransom Professor of Law Emerita at the University of Michigan, provides a good definition of free consent. It "involves a knowing understanding of what one is doing in a context in which it is actually

possible for or to do otherwise, and an affirmative action in doing something, rather

than a merely passive acquiescence in accepting something."^[33] There have been various proposals advocating a more succinct and simpler standard for privacy notices,^[34] or multi-layered notices^[35] or representing the information in the form of a table. ^[36] However, studies show only an insignificant improvement in the understanding by consumers when privacy policies are represented in graphic formats like tables and labels. ^[37] It has also been pointed out that it is impossible to convey complex data policies in simple and clear language.^[38]

3. Failure to anticipate/comprehend the consequences of consent

Today's infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most have no understanding of what happens to their data once they have uploaded it - Where it goes? Whom it is held by? Under what conditions? For what purpose? Or how might it be used, aggregated, hacked, or leaked in the future? For the most part, the above operations are "invisible, managed at distant centers, from behind the scenes, by unmanned powers."^[39]

The perceived opportunities and benefits of Big Data have led to an acceptance of the indiscriminate collection of as much data as possible as well as the retention of that data for unspecified future analysis. For many advocates, such practices are absolutely essential if Big Data is to deliver on its promises.. Experts have argued that key privacy principles particularly those of collection limitation, data minimization and purpose limitation should not be applied to Big Data processing.^[40] As mentioned above, in the case of Big Data, the value of the data collected comes often not from its primary purpose but from its secondary uses. Deriving value from datasets involves amalgamating diverse datasets and executing speculative and exploratory kinds of analysis in order to discover hidden insights and correlations that might have previously gone unnoticed.^[41] As such organizations are today routinely reprocessing data collected from individuals for purposes not directly related to the services they provide to the customer. These secondary uses of data are becoming increasingly valuable sources of revenue for companies as the value of data in and of itself continues to rise. ^[42]

Purpose Limitation

The principle of purpose limitation has served as a key component of data protection for decades. Purposes given for the processing of users' data should be given at the time of collection and consent and should be "specified, explicit and legitimate". In practice however, reasons given typically include phrases such as, 'for marketing purposes' or 'to improve the user experience' that are vague and open to interpretation. ^[43]

Some commentators whilst conceding the fact that purpose limitation in the era of Big Data may not be possible have instead attempted to emphasise the notion of 'compatible use' requirements. In the view of Working Party on the protection of individuals with regard to the processing of person data, for example, use of data for a purpose other than that originally stated at the point of collection should be subject to a case-by-case review of whether not further processing for different purpose is justifiable - i.e., compatible with the original purpose. Such a review may take into account for example, the context in which the data was originally collected, the nature or sensitivity of the data involved, and the existence of relevant safeguards to insure fair processing of the data and prevent undue harm to the data subject.^[44]

On the other hand, Big Data advocates have argued that an assessment of legitimate interest rather than compatibility with the initial purpose is far better suited to Big Data processing.^[45] They argue that today the notion of purpose limitation has become outdated. Whereas previously data was collected largely as a by-product of the purpose for which it was being collected. If for example, we opted to use a service the information we provided was for the most part necessary to enable the provision of that service. Today however, the utility of data is no longer restricted to the primary purpose for which it is collected but can be used to provide all kinds of secondary services and resources, reduce waste, increase efficiency and improve decision-making.^[46] These kinds of positive externalities, Big Data advocates insist, are only made possible by the reprocessing of data.

Unfortunately for the notion of consent the nature of these secondary purposes are rarely evident at the time of collection. Instead the true value of the data can often only be revealed when it is amalgamated with other diverse datasets and subjected to various forms of analysis to help reveal hidden and non-obvious correlations and insights.^[47] The uncertain and speculative value of data therefore means that it is impossible to provide "specific, explicit, and legitimate" details about how a given data set will be used or how it might be aggregated in future. Without this crucial information data subjects have no basis upon which they can make an informed decision about whether or not to provide consent. Robert Sloan and Richard Warner argue that it is impossible for a privacy notice to contain enough information to enable free consent. They argue that current data collection practices are highly complex and that these practices involve collection of information at one stage for one purpose and then retain, analyze, and distribute it for a variety of other purposes in unpredictable ways. ^[48] Helen Nissenbaum points to the ever changing nature of data flow and the cognitive challenges it poses. "Even if, for a given moment, a

snapshot of the information flows could be grasped, the realm is in constant flux, with new firms entering the picture, new analytics, and new back end contracts forged: in other words, we are dealing with a recursive capacity that is indefinitely extensible." ^[49]

Scale and Aggregation

Today the quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, 'creating countless new digital puddles, lakes, tributaries and oceans of information'.^[50] In 2011 it was estimated that the quantity of data produced globally would surpass 1.8 zettabytes , by 2013 that had grown to 4 zettabytes , and with the nascent development of the Internet of Things gathering pace, these trends are set to continue. ^[51] Big Data by its very nature requires the collection and processing of very large and very diverse data sets. Unlike other forms scientific research and analysis which utilize various sampling techniques to identify and target the types of data most useful to the research questions, Big Data instead seeks to gather as much data as possible, in order to achieve full resolution of the phenomenon being studied, a task made much easier in recent years as a result of the proliferation of internet enabled devices and the growth of the Internet of Things. This goal of attaining comprehensive coverage exists in tension however with the key privacy principles of collection limitation and data minimization which seek to limit both the quantity and variety of data collected about an individual to the absolute minimum. ^[52]

The dilution of the purpose limitation principle entails that even those who understand privacy notices and are capable of making rational choices about it, cannot conceptualize how their data will be aggregated and possibly used or re-used. Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School, in his book, "The Digital Person", calls it the aggregation effect. He argues that the ingenuity of the data mining techniques and the insights and predictions that could be made by it render any cost-benefit analysis that an individual could make ineffectual. ^[53]

4. Failure to opt-out

The traditional choice against the collection of personal data that users have had access to, at least in theory, is the option to 'opt-out' of certain services. This draws from the free market theory that individuals exercise their free will when they use services and always have the option of opting out, thus, arguing against regulation but relying on the collective wisdom of the market to weed out harms. The notion that the provision of data should be a matter of personal choice on the part of the individual and that the individual can, if they chose decide to 'opt-out' of data collection, for example by ceasing use of a particular service, is an important component of privacy and data protection frameworks. The proliferation of internet-enabled devices, their integration into the built environment and the real-time nature of data collection and analysis however are beginning to undermine this concept. For many critics of Big Data, the ubiquity of data collection points as well as the compulsory provision of data as a prerequisite for the access and use of many key online services, is making opting-out of data collection not only impractical but in some cases impossible. ^[54]

Whilst sceptics may object that individuals are still free to stop using services that require data. As online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less of a genuine choice. ^[55] Information flows not only from the individuals it is about but also from what other people say about them. Financial transactions made online or via debit/credit cards can be analysed to derive further information about the individual. If opting-out makes you look anti-social, criminal, or unethical, the claims that we are exercising free will seems murky and leads one to wonder whether we are dealing with coercive technologies.

Another issue with the consent and opt-out paradigm is the binary nature of the choice. This binary nature of consent makes a mockery of the notion that consent can function as an effective tool of personal data management. What it effectively means is that one can either agree with the long privacy notices, or choose to abandon the desired service. "This binary choice is not what the privacy architects envisioned four decades ago when they imagined empowered individuals making informed decisions about the processing of their personal data. In practice, it certainly is not the optimal mechanism to ensure that either information privacy or the free flow of information is being protected." ^[56]

Conclusion: 'Notice and Consent' is counter-productive

There continues to be an unwillingness amongst many privacy advocates to concede that the concept of consent is fundamentally broken, as Simon Davies, a privacy advocate based in London, comments 'to do so could be seen as giving ground to the data vultures', and risks further weakening an already dangerously fragile privacy framework.^[57] Nevertheless, as we begin to transition into an era of ubiquitous data collection, evidence is becoming stronger that consent is not simply ineffective, but may in some instances might be counter-productive to the goals of privacy and data protection.

As already noted, the notion that privacy agreements produce anything like truly informed consent has long since been discredited; given this fact, one may ask for whose benefit such agreements are created? One may justifiably argue that far from being for the benefit and protection of users, privacy agreement may in fact be fundamentally to the benefit of data brokers, who having gained the consent of users can act with near impunity in their use of the data collected. Thus, an overly narrow focus on the necessity of consent at the point of collection, risks diverting our attention from the arguably more important issue of how our data is stored, analysed and distributed by data brokers following its collection. ^[58]

Furthermore, given the often complicated and cumbersome processes involved in gathering consent from users, some have raised concerns that the mechanisms put in place to garner consent could themselves morph into surveillance mechanisms. Davies, for example cites the case of the EU Cookie Directive, which required websites to gain consent for the collection of cookies. Davies observes how, 'a proper audit and compliance element in the system could require the processing of even more data than the original unregulated web traffic. Even if it was possible for consumers to use some kind of gateway intermediary to manage the consent requests, the resulting data collection would be overwhelming''. Thus in many instances there exists a fundamental tension between the requirement placed on companies to gather consent and the equally important principle of data minimization. ^[59]

Given the above issues with notice and informed consent in the context of information privacy, and the fact that it is counterproductive to the larger goals of privacy law, it is important to revisit the principle or rights based approach to data protection, and consider a paradigm shift where one moves to a risk based approach that takes into account the actual threats of sharing data rather than relying on what has proved to be an ineffectual system of individual control. We will be dealing with some of these issues in a follow up to this article.

Madam,

1. Please refer to your RTI application dated 3.12.2015 received in the Division on 10.12.2015 on the subject mentioned above requesting to provide the information in electronic form via the email address [email protected], copies of the artwork in print media released by UIDAI to create awareness about use of Aadhaar not being mandatory.
2. I am directed to furnish herewith in electronic form, copy of the artwork in print media released / published in the epapers edition of the Times of India and Dainik Jagran in their respective editions of dated 29.8.2015 in a soft copy, about obtaining of Aadhaar not being mandatory for a citizen, as desired.
3. In case, you want to go for an appeal in connection with the information provided, you may appeal to the Appellate Authority indicated below within thirty days from the date of receipt of this letter.
   Shri Harish Lal Verma,
   Deputy Director (Media),
   Unique Identification Authority of India
   3nd Floor, Tower – II, Jeevan Bharati Building,
   New Delhi – 110001.

Yours faithfully,

(T Gou Khangin)
Section Officer & CPIO Media Division

Copy for information to: Deputy Director (Establishment) & Nodal CPIO

Below scanned copies:

RTI Reply

Coverage in Dainik Jagran

Download the coverage in the Times of India here. Read the earlier blog entry here.

Details about the Summit

Event page: https://www.dsci.in/events/about/2261.

Agenda: https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf.

Notes from the Summit

Mr.G.K.Pillai ,Chairman DSCI addressing the audience @ 10th Annual Information Security Summit '15 #AISS15 pic.twitter.com/JVcwct3HSF

— DSCI (@DSCI_Connect) December 16, 2015

Mr. G. K. Pillai, Chairman of Data Security Council of India (DSCI), set the tone of the Summit at the very first hour by noting that 1) state and private industries in India are working in silos when it comes to preventing cybercrimes, 2) there is a lot of skill among young technologists and entrepreneurs, and the state and the private sectors are often unaware of this, and 3) there is serious lack of (cyber-)capacity among law enforcement agencies.

In his Inaugural Address, Dr. Arvind Gupta (Deputy National Security Advisor and Secretary, NSCS), provided a detailed overview of the emerging challenges and framework of cybersecurity in India. He focused on the following points:

#India Dy NSA Dr Arvind Gupta calls 4 #cybersecurity by #design in #ICT #AISS15 pic.twitter.com/79kq9lWGtk

— Deepak Maheshwari (@dmcorpaffair) December 16, 2015

• Security is a key problem in the present era of ICTs as it is not in-built. In the upcoming IoT era, security must be built into ICT systems.
• In the next billion addition to internet population, 50% will be from India. Hence cybersecurity is a big concern for India.
• ICTs will play a catalytic role in achieving SDGs. Growth of internet is part of the sustainable development agenda.
• We need a broad range of critical security services - big data analytics, identity management, etc.
• The e-governance initiatives launched by the Indian government are critically dependent on a safe and secure internet.
• Darkweb is a key facilitator of cybercrime. Globally there is a growing concern regarding the security of cyberspace.
• On the other hand, there exists deep divide in access to ICTs, and also in availability of content in local languages.
• The Indian government has initiated bilateral cybersecurity dialogues with various countries.
• Indian government is contemplating setting up of centres of excellence in cryptography. It has already partnered with NASSCOM to develop cybersecurity guidelines for smart cities.
• While India is a large global market for security technology, it also needs to be self-reliant. Indian private sector should make use of government policies and bilateral trust enjoyed by India with various developing countries in Africa and south America to develop security technology solutions, create meaningful jobs in India, and export services and software to other developing countries.
• Strong research and development, and manufacturing base are absolutely necessary for India to be self-reliant in cybersecurity. DSCI should work with private sector, academia, and government to coordinate and realise this agenda.
• In the line of the Climate Change Fund, we should create a cybersecurity fund, since it is a global problem.
• Silos are our bane in general. Bringing government agencies together is crucial. Trust issues (between government, private sector, and users) remain, and can only be resolved over time.
• The demand for cybersecurity solutions in India is so large, that there is space for everyone.
• The national cybersecurity centre is being set up.
• Thinktanks can play a crucial role in helping the government to develop strategies for global cybersecurity negotiations. Indian negotiators are often capacity constrained.

Rajendra Pawar, Chair of the NASSCOM Cyber Security Task Force, NASSCOM Cybersecurity Initiative, provided glimpses of the emerging business opportunity around cybersecurity in India:

• In next 10 years, the IT economy in India will be USD 350 bn, and 10% of that will be the cybersecurity pie. This means a million job only in the cybersecurity space.
• Academic institutes are key to creation of new ideas and hence entrepreneurs. Government and private sectors should work closely with academic institutes.

  'Companies+Govt+Academia= High growth of the cybersecurity industry' - Rajendra Pawar at #AISS15 @DSCI_Connect

  — Shivangi Nadkarni (@shivanginadkarn) December 16, 2015

• Globally, cybersecurity innovation and industries happen in clusters. Cities and states must come forward to create such clusters.
• 2/3rd of the cybersecurity market is provision of services. This is where India has a great advantage, and should build on that to become a global brand in cybersecurity services.
• Everyday digital security literacy and cultures need to be created.
• Publication of cybersecurity best practices among private companies is a necessity.

  Corporate disclosures of breaches being considered with Nasscom under cybersec task force: Rajendra Pawar #AISS15 @DSCI_Connect @ETtech

  — Neha Alawadhi (@NehaAlawadhiET) December 16, 2015

• Dedicated cybersecurity spending should be made part of the e-governance budget of central and state governments.
• DSCI should function as a clearing house of cybersecurity case studies. At present, thought leadership in cybersecurity comes from the criminals. By serving as a use case clearing house, DSCI will inform interested researchers about potential challenges for which solution needs to be created.

Manish Tiwary of Microsoft informed the audience that India is in the top 3 positions globally in terms of malware proliferation, and this ensures that India is a big focus for Microsoft in its global war against malware. Microsoft India looks forward to work closely with CERT-In and other government agencies.

RSA's Kartik Shahani @DSCI_Connect #AISS15 Adopt a Deep & Pervasive Level of True Visibility Everywhere pic.twitter.com/2U8J8WkWsI

— Debjani Gupta (@DebjaniGupta1) December 16, 2015

Data localization; one of the stumbling blocks that undermine investments in #cybersecurity. #AISS15 pic.twitter.com/vrff3Amcv0

— Appvigil (@appvigil_co) December 16, 2015

Trust verification 4 embedded devices isnt complex bt much desired as people lives r dependent on that-cld cause physical damage #AISS15

— Lokesh Mehra (@lokesh_mehra) December 16, 2015

"Most compromised OS in 2k15: iOS"-Riyaz Tambe, Palo Alto Networks #AISS15

— Indira Sen (@drealcharbar) December 16, 2015

Security by default in IOS architecture tho' can't verify code as noṭ open - is it security by obscurity? #AISS15 pic.twitter.com/kbPZgH8oA0

— Lokesh Mehra (@lokesh_mehra) December 16, 2015

The session on Catching Fraudsters had two insightful presentations from Dr. Triveni Singh, Additional SP of Special Task Force of UP Police, and Mr. Manoj Kaushik, IAS, Additional Director of FIU.

Dr. Singh noted that a key challenge faced by police today is that nobody comes to them with a case of online fraud. Most fraud businesses are run by young groups operating BPOs that steal details from individuals. There exists a huge black market of financial and personal data - often collected from financial institutions and job search sites. Almost any personal data can be bought in such markets. Further, SIM cards under fake names are very easy to buy. The fraudsters are effective using all fake identity, and is using operational infrastructures outsourced from legitimate vendors under fake names. Without a central database of all bank customers, it is very difficult for the police to track people across the financial sector. It becomes even more difficult for Indian police to get access to personal data of potential fraudsters when it is stored in a foreign server. which is often the case with usual web services and apps. Many Indian ISPs do not keep IP history data systematically, or do not have the technical expertise to share it in a structured and time-sensitive way.

Mr. Triveni Singh talks about raiding fake call centres in Delhi NCR that scam millions every year #AISS15 pic.twitter.com/EmE4y3jux2

— pradyumn nand (@PradyumnNand) December 16, 2015

Mr. Kaushik explained that no financial fraud is uniquely committed via internet. Many fraud begin with internet but eventually involve physical fraudulent money transaction. Credit/debit card frauds all involve card data theft via various internet-based and physical methods. However, cybercrime is continued to be mistakenly seen as frauds undertaken completely online. Further, mobile-based frauds are yet another category. Almost all apps we use are compromised, or store transaction history in an insecure way, which reveals such data to hackers. FIU is targeting bank accounts to which fraud money is going, and closing them down. Catching the people behind these bank accounts is much more difficult, as account loaning has become a common practice - where valid accounts are loaned out for a small amount of money to fraudsters who return the account after taking out the fraudulent money. Better information sharing between private sector and government will make catching fraudsters easier.

@AkhileshTuteja With data overload and big data being prevalent are we considering privacy elements #AISS15 #KpmgIndiaCyber

— Atul Gupta (@AtulGup15843145) December 16, 2015

'Tech solns today designed to protect security - solns for privacy need to evolve'- @Mayurakshi_Ray #AISS15 @DSCI_Connect

— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015

In-house tools important but community collaboration critical to fight security threats @tata_comm #AISS15 pic.twitter.com/ZjbCnaROXC

— aparna (@aparnag14) December 16, 2015

'Orgns in India have a long way to go b4 they internalise privacy principles' Subhash S, CISO ICICI #AISS15 @DSCI_Connect

— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015

Prof PK giving an interesting brief on Academia role in Cyber Security. @ponguru @DSCI_Connect at #AISS15 pic.twitter.com/MEiO6sCJwu

— Vikas Yadav (@VikasSYadav) December 16, 2015

Potential for interaction between Academia, Government and Industry but not an established reality yet. #AISS15 #MappingCyberEducation

— Indira Sen (@drealcharbar) December 16, 2015

I have figured out why information security is not in any boardroom discussions. Cause there are no good speakers / orators . #AISS15

— Virag Thakkar (@viragthakkar) December 16, 2015

The session on Smart Cities focused on discussing the actual cities coming up India, and the security challenges highlighted by them. There was a presentation on Mahindra World City being built near Jaipur. Presenters talked about the need to stabilise, standardise, and securitise the unique identities of machines and sensors in a smart city context, so as to enable secured machine-to-machine communication. Since 'smartness' comes from connecting various applications and data silos together, the governance of proprietary technology and ensuring inter-operable data standards are crucial in the smart city.

As Special Purposed Vehicles are being planned to realise the smart cities, the presenters warned that finding the right CEOs for these entities will be critical for their success. Legacy processes and infrastructures (and labour unions) are a big challenge when realising smart cities. Hence, the first step towards the smart cities must be taken through connected enforcement of law, order, and social norms.

Privacy-by-design and security-by-design are necessary criteria for smart cities technologies. Along with that regular and automatic software/middleware updating of distributed systems and devices should be ensured, as well as the physical security of the actual devices and cables.

In terms of standards, security service compliance standards and those for protocols need to be established for the internet-of-things sector in India. On the other hand, there is significant interest of international vendors to serve the Indian market. All global data and cloud storage players, including Microsoft Azure cloud, are moving into India, and are working on substantial and complete data localisation efforts.

Session - Why should you hire Women Security Professionals?... Balancing gender diversity #AISS15 #DSCI_Connect pic.twitter.com/uIMfG9PvAb

— Jagan Suri (@jsuri90) December 16, 2015

gender Diversity in cybersecurity critical 4 India's future. @symantec partnered with @nasscom via 1000 women scholarships #AISS15

— Lokesh Mehra (@lokesh_mehra) December 16, 2015

Dialogue with CERT-In .. Starting 2nd Day of #AISS15 .. B J Srinath, DG, CERT @DSCI_Connect #security #privacy pic.twitter.com/cvDcrgkein

— Vinayak Godse (@godvinayak) December 17, 2015

New #problems can't b solved w old #solutions: #India CERT DG BJ Srinath #AISS15

— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

17 entities within #Indian #government engaged in #cybersecurity: #India CERT head #AISS15

— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Scope of activities by CERT in #India way more than its counterparts elsewhere #AISS15

— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

#India CERT looks 8 prediction & #prevention #cybersecurity #emergency not just #response #AISS15

— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

#India CERT willing to #share #information rather than just receiving #AISS15

— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Savita CERTin outlines drill initiatives taken 4 preparedness-detect (protect), defend attacks wth response #AISS15 pic.twitter.com/wXrkgoLzr2

— Lokesh Mehra (@lokesh_mehra) December 17, 2015

CERTin also offers incident predicatibility,Crisis mgmt plans, #cybersecurity assurance ladder (7 levels) besides 24 x 7 prevention #AISS15

— Lokesh Mehra (@lokesh_mehra) December 17, 2015

#India has 7.2 million bot infected #machines: #India CERT DG Srinath #AISS15

— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Seizure & protection of electronic devices as admissible evidence (certificate u Sec 65B) imperative under Forensics investigation #AISS15

— Lokesh Mehra (@lokesh_mehra) December 17, 2015

'Law enforcement agency&corporate world must collaborate to fight cybercrime'-Atul Gupta,Partner-Risk Adv. @ #AISS15 pic.twitter.com/GwAQWhYMmK

— KPMG India (@KPMGIndia) December 17, 2015

Mr. R. Chandrasekhar, President of NASSCOM, foregrounded the recommendations made by the Cybersecurity Special Task Force of NASSCOM, in his Special Address on the second day. He noted:

• There is a great opportunity to brand India as a global security R&D and services hub. Other countries are also quite interested in India becoming such a hub.
• The government should set up a cybersecurity startup and innovation fund, in coordination with and working in parallel with the centres of excellence in internet-of-things (being led by DeitY) and the data science/analytics initiative (being led by DST).
• There is an immediate need to create a capable workforce for the cybersecurity industry.
• Cybersecurity affects everyone but there is almost no public disclosure. This leads to low public awareness and valuation of costs of cybersecurity failures. The government should instruct the Ministry of Corporate Affairs to get corporates to disclose (publicly or directly to the Ministry) security breeches.
• With digital India and everyone going online, cyberspace will increasingly be prone to attacks of various kinds, and increasing scale of potential loss. Cybersecurity, hence, must be part of the core national development agenda.
• The cybersecurity market in India is big enough and under-served enough for everyone to come and contribute to it.

The Keynote Address by Mr. Rajiv Singh, MD – South Asia of Entrust Datacard, and Mr. Saurabh Airi, Technical Sales Consultant of Entrust Datacard, focused on trustworthiness and security of online identities for financial transactions. They argued that all kinds of transactions require a common form factor, which can be a card or a mobile phone. The key challenge is to make the form factor unique, verified, and secure. While no programme is completely secure, it is necessary to build security into the form factor - security of both the physical and digital kind, from the substrates of the card to the encryption algorithms. Entrust and Datacard have merged in recent past to align their identity management and security transaction workflows, from physical cards to software systems for transactions. The advantages of this joint expertise have allowed them to successfully develop the National Population Register cards of India. Now, with the mobile phone emerging as a key financial transaction form factor, the challenge across the cybersecurity industry is to offer the same level of physical, digital, and network security for the mobile phone, as are provided for ATM cards and cash machines.

The following Keynote Address by Dr. Jared Ragland, Director - Policy of BSA, focused on the cybersecurity investment landscape in India and the neighbouring region. BSA, he explained, is a global trade body of software companies. All major global software companies are members of BSA. Recently, BSA has produced a study on the cybersecurity industry across 10 markets in the Asia Pacific region, titled Asia Pacific Cybersecurity Dashboard. The study provides an overview of cybersecurity policy developments in these countries, and sector-specific opportunities in the region. Dr. Ragland mentioned the following as the key building blocks of cybersecurity policy: legal foundation, establishment of operational entities, building trust and partnerships (PPP), addressing sector-specific requirements, and education and awareness. As for India, he argued that while steady steps have been taken in the cybersecurity policy space by the government, a lot remains to be done. Operationalisation of the policy is especially lacking. PPPs are happening but there is a general lack of persistent formal engagement with the private sector, especially with global software companies. There is almost no sector-specific strategy. Further, the requirement for India-specific testing of technologies, according to domestic and not global standards, is leading to entry barrier for global companies and export barrier for Indian companies. Having said that, Dr. Ragland pointed out that India's cybersecurity experience is quite representative of that of the Asia Pacific region. He noted the following as major stumbling blocks from an international industry perspective: unnecessary and unreasonable testing requirements, setting of domestic standards, and data localisations rules.

The Policy Makers' panel in #AISS15 in progress. Arvind Gupta, Head, BJP IT cell (@buzzindelhi) speaks. pic.twitter.com/9yWR0gMwf5

— Nandkumar Saravadé (@saravade) December 17, 2015

One of the final sessions of the Summit was the Public Policy Dialogue between Prof. M.V. Rajeev Gowda, Member of Parliament, Rajya Sabha, and Mr. Arvind Gupta, Head of IT Cell, BJP.

Prof. Gowda focused on the following concerns:

• We often freely give up our information and rights over to owners of websites and applications on the web. We need to ask questions regarding the ownership, storage, and usage of such data.
• While Section 66A of Information Technology Act started as a anti-spam rule, it has actually been used to harass people, instead of protecting them from online harassment.
• The bill on DNA profiling has raised crucial privacy concerns related to this most personal data. The complexity around the issue is created by the possibility of data leakage and usage for various commercial interests.
• We need to ask if western notions of privacy will work in the Indian context.
• We need to move towards a cashless economy, which will not only formalise the existing informal economy but also speed up transactions nationally. We need to keep in mind that this will put a substantial demand burden on the communication infrastructure, as all transactions will happen through these.

Mr. Gupta shared his keen insights about the key public policy issues in digital India:

• The journey to establish the digital as a key political agenda and strategy within BJP took him more than 6 years. He has been an entrepreneur, and will always remain one. His approached his political journey as an entrepreneur.
• While we are producing numerous digitally literate citizens, the companies offering services on the internet often unknowingly acquire data about these citizens, store them, and sometimes even expose them. India perhaps produces the greatest volume of digital exhaust globally.
• BJP inherited the Aadhaar national identity management platform from UPA, and has decided to integrate it deeply into its digital India architecture.
• Financial and administrative transactions, especially ones undertake by and with governments, are all becoming digital and mostly Aadhaar-linked. We are not sure where all such data is going, and who all has access to such data.
• Right now there is an ongoing debate about using biometric system for identification. The debate on privacy is much needed, and a privacy policy is essential to strengthen Aadhaar. We must remember that the benefits of Aadhaar clearly outweigh the risks. Greatest privacy threats today come from many other places, including simple mobile torch apps.
• India is rethinking its cybersecurity capacities in a serious manner. After Paris attack it has become obvious that the state should be allowed to look into electronic communication under reasonable guidelines. The challenge is identifying the fine balance between consumers' interest on one hand, and national interest and security concerns on the other. Unfortunately, the concerns of a few is often getting amplified in popular media.
• MyGov platform should be used much more effectively for public policy debates. Social media networks, like Twitter, are not the correct platforms for such debates.

#AISS15: @rajivgowda & @buzzindelhi are talking abt proactive disclosure as a key part of #cybersecurity strategy #openData @DataPortalIndia

— sumandro (@ajantriks) December 17, 2015

Introduction

A democracy involves the state machinery being accountable to the citizens that it is supposed to serve, and for the citizens to be able to hold their state machinery accountable, they need accurate and adequate information regarding the activities of those that seek to govern them. However, in modern democracies it is often seen that those in governance often try to circumvent legal requirements of transparency and only pay lip service to this principle, while keeping their own functioning as opaque as possible.

This tendency to not give adequate information is very evident in the departments of the government which are concerned with surveillance, and merit can be found in the argument that all of the government's clandestine surveillance activities cannot be transparent otherwise they will cease to be "clandestine" and hence will be rendered ineffective. However, this argument is often misused as a shield by the government agencies to block the disclosure of all types of information about their activities, some of which may be essential to determine whether the current surveillance regime is working in an effective, ethical, and legal manner or not. It is this exploitation of the argument, which is often couched in the language of or coupled with concerns of national security, that this paper seeks to address while voicing the need for greater transparency in surveillance activities and structures.

In the first section the paper examines the need for transparency, and specifically deals with the requirement for transparency in surveillance. In the next part, the paper discusses the regulations governing telecom surveillance in India. The final part of the paper discusses possible steps that may be taken by the government in order to increase transparency in telecom surveillance while keeping in mind that the disclosure of such information should not make future surveillance ineffective.

Need for Transparency

In today's age where technology is all pervasive, the term "surveillance" has developed slightly sinister overtones, especially in the backdrop of the Edward Snowden fiasco. Indeed, there have been several independent scandals involving mass surveillance of people in general as well as illegal surveillance of specific individuals. The fear that the term surveillance now invokes, especially amongst those social and political activists who seek to challenge the status quo, is in part due to the secrecy surrounding the entire surveillance regime. Leaving aside what surveillance is carried out, upon whom, and when - the state actors are seldom willing and open to talk about how surveillance is carried out, how decisions regarding who and how to target, are reached, how agency budgets are allocated and spent, how effective surveillance actions were, etc. While there may be justified security based arguments to not disclose the full extent of the state's surveillance activities, however this cloak of secrecy may be used illegally and in an unauthorized manner to achieve ends more harmful to citizen rights than the maintenance of security and order in the society.

Surveillance and interception/collection of communications data can take place under different legal processes in different countries, ranging from court-ordered requests of specified data from telecommunications companies to broad executive requests sent under regimes or regulatory frameworks requiring the disclosure of information by telecom companies on a pro-active basis. However, it is an open secret that data collection often takes place without due process or under non-legal circumstances.

It is widely believed that transparency is a critical step towards the creation of mechanisms for increased accountability through which law enforcement and government agencies access communications data. It is the first step in the process of starting discussions and an informed public debate regarding how the state undertakes activities of surveillance, monitoring and interception of communications and data. Since 2010, a large number of ICT companies have begun to publish transparency reports on the extent that governments request their user data as well as requirements to remove content. However, governments themselves have not been very forthcoming in providing such detailed information on surveillance programs which is necessary for an informed debate on this issue.[1] Although some countries currently report limited information on their surveillance activities, e.g. the U.S. Department of Justice publishes an annual Wiretap Report (U.S. Courts, 2013a), and the United Kingdom publishes the Interception of Communications Commissioner Annual Report (May, 2013), which themselves do not present a complete picture, however even such limited measures are unheard of in a country such as India.

It is obvious that Governments can provide a greater level of transparency regarding the limits in place on the freedom of expression and privacy than transparency reports by individual companies. Company transparency reports can only illuminate the extent to which any one company receives requests and how that company responds to them. By contrast, government transparency reports can provide a much greater perspective on laws that can potentially restrict the freedom of expression or impact privacy by illustrating the full extent to which requests are made across the ICT industry. [2]

In India, the courts and the laws have traditionally recognized the need for transparency and derive it from the fundamental right to freedom of speech and expression guaranteed in our Constitution. This need coupled with a sustained campaign by various organizations finally fructified into the passage of the Right to Information Act, 2005, (RTI Act) which amongst other things also places an obligation on the sate to place its documents and records online so that the same may be freely available to the public. In light of this law guaranteeing the right to information, the citizens of India have the fundamental right to know what the Government is doing in their name. The free flow of information and ideas informs political growth and the freedom of speech and expression is the lifeblood of a healthy democracy, it acts as a safety valve. People are more ready to accept the decisions that go against them if they can in principle seem to influence them. The Supreme Court of India is of the view that the imparting of information about the working of the government on the one hand and its decision affecting the domestic and international trade and other activities on the other is necessary, and has imposed an obligation upon the authorities to disclose information.[3]

The Supreme Court, in Namit Sharma v. Union of India,[4] while discussing the importance of transparency and the right to information has held:

"The Right to Information was harnessed as a tool for promoting development; strengthening the democratic governance and effective delivery of socio-economic services. Acquisition of information and knowledge and its application have intense and pervasive impact on the process of taking informed decision, resulting in overall productivity gains .

……..

Government procedures and regulations shrouded in the veil of secrecy do not allow the litigants to know how their cases are being handled. They shy away from questioning the officers handling their cases because of the latters snobbish attitude. Right to information should be guaranteed and needs to be given real substance. In this regard, the Government must assume a major responsibility and mobilize skills to ensure flow of information to citizens. The traditional insistence on secrecy should be discarded."

Although these statements were made in the context of the RTI Act the principle which they try to illustrate can be understood as equally applicable to the field of state sponsored surveillance. Though Indian intelligence agencies are exempt from the RTI Act, it can be used to provide limited insight into the scope of governmental surveillance. This was demonstrated by the Software Freedom Law Centre, who discovered via RTI requests that approximately 7,500 - 9,000 interception orders are sent on a monthly basis.[5]

While it is true that transparency alone will not be able to eliminate the barriers to freedom of expression or harm to privacy resulting from overly broad surveillance,, transparency provides a window into the scope of current practices and additional measures are needed such as oversight and mechanisms for redress in cases of unlawful surveillance. Transparency offers a necessary first step, a foundation on which to examine current practices and contribute to a debate on human security and freedom.[6]

It is no secret that the current framework of surveillance in India is rife with malpractices of mass surveillance and instances of illegal surveillance. There have been a number of instances of illegal and/or unathorised surveillance in the past, the most scandalous and thus most well known is the incident where a woman IAS officer was placed under surveillance at the behest of Mr. Amit Shah who is currently the president of the ruling party in India purportedly on the instructions of the current prime minister Mr. Narendra Modi.[7] There are also a number of instances of private individuals indulging in illegal interception and surveillance; in the year 2005, it was reported that Anurag Singh, a private detective, along with some associates, intercepted the telephonic conversations of former Samajwadi Party leader Amar Singh. They allegedly contacted political leaders and media houses for selling the tapped telephonic conversation records. The interception was allegedly carried out by stealing the genuine government letters and forging and fabricating them to obtain permission to tap Amar Singh's telephonic conversations. [8] The same individual was also implicated for tapping the telephone of the current finance minister Mr. Arun Jaitely.[9]

It is therefore obvious that the status quo with regard to the surveillance mechanism in India needs to change, but this change has to be brought about in a manner so as to make state surveillance more accountable without compromising its effectiveness and addressing legitimate security concerns. Such changes cannot be brought about without an informed debate involving all stakeholders and actors associated with surveillance, however the basic minimum requirement for an "informed" debate is accurate and sufficient information about the subject matter of the debate. This information is severely lacking in the public domain when it comes to state surveillance activities - with most data points about state surveillance coming from news items or leaked information. Unless the state becomes more transparent and gives information about its surveillance activities and processes, an informed debate to challenge and strengthen the status quo for the betterment of all parties cannot be started.

Current State of Affairs

Surveillance laws in India are extremely varied and have been in existence since the colonial times, remnants of which are still being utilized by the various State Police forces. However in this age of technology the most important tools for surveillance exist in the digital space and it is for this reason that this paper shall focus on an analysis of surveillance through interception of telecommunications traffic, whether by tracking voice calls or data. The interception of telecommunications actually takes place under two different statutes, the Telegraph Act, 1885 (which deals with interception of calls) as well as the Information Technology Act, 2000 (which deals with interception of data).

Currently, the telecom surveillance is done as per the procedure prescribed in the Rules under the relevant sections of the two statutes mentioned above, viz. Rule 419A of the Telegraph Rules, 1951 for surveillance under the Telegraph Act, 1885 and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 for surveillance under the Information Technology Act, 2000. These Rules put in place various checks and balances and try to ensure that there is a paper trail for every interception request. [10] The assumption is that the generation of a paper trail would reduce the number of unauthorized interception orders thus ensuring that the powers of interception are not misused. However, even though these checks and balances exist on paper as provided in the laws, there is not enough information in the public domain regarding the entire mechanism of interception for anyone to make a judgment on whether the system is working or not.

As mentioned earlier, currently the only sources of information on interception that are available in the public domain are through news reports and a handful of RTI requests which have been filed by various activists.[11] The only other institutionalized source of information on surveillance in India is the various transparency reports brought out by companies such as Google, Yahoo, Facebook, etc.

Indeed, Google was the first major corporation to publish a transparency report in 2010 and has been updating its report ever since. The latest data that is available for Google is for the period between January, 2015 to June, 2015 and in that period Google and Youtube together received 3,087 requests for data which asked for information on 4,829 user accounts from the Indian Government. Out of these requests Google only supplied information for 44% of the requests.[12] Although Google claims that they "review each request to make sure that it complies with both the spirit and the letter of the law, and we may refuse to produce information or try to narrow the request in some cases", it is not clear why Google rejected 56% of the requests. It may also be noted that the number of requests for information that Google received from India were the fifth highest amongst all the other countries on which information was given in the Transparency Report, after USA, Germany, France and the U.K.

Facebook's transparency report for the period between January, 2015 to June, 2015 reveals that Facebook received 5,115 requests from the Indian Government for 6,268 user accounts, out of which Facebook produced data in 45.32% of the cases.[13] Facebook's transparency report claims that they respond to requests relating to criminal cases and "Each and every request we receive is checked for legal sufficiency and we reject or require greater specificity on requests that are overly broad or vague." However, even in Facebook's transparency report it is unclear why 55.68% of the requests were rejected.

The Yahoo transparency report also gives data from the period between January 1, 2015 to June 30, 2015 and reveals that Yahoo received 831 requests for data, which related to 1,184 user accounts from the Indian Government. The Yahoo report is a little more detailed and also reveals that 360 of the 831 requests were rejected by Yahoo, however no details are given as to why the requests were rejected. The report also specifies that in 63 cases, no data was found by Yahoo, in 249 cases only non content data[14] was disclosed while in 159 cases content [15] was disclosed. The Yahoo report also claims that "We carefully scrutinize each request to make sure that it complies with the law, and we push back on those requests that don't satisfy our rigorous standards."

While the Vodafone Transparency Report gives information regarding government requests for data in other jurisdictions, [16] it does not give any information on government requests in India. This is because Vodafone interprets the provisions contained in Rule 25(4) of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (Interception Rules) and Rule 11 of the IT (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 as well as Rule 419A(19) of the Indian Telegraph Rules, 1954 which require service providers to maintain confidentiality/secrecy in matters relating to interception, as being a legal prohibition on Vodafone to reveal such information.

Apart from the four major companies discussed above, there are a large number of private corporations which have published transparency reports in order to acquire a sense of trustworthiness amongst their customers. Infact, the Ranking Digital Rights Project has been involved in ranking some of the biggest companies in the world on their commitment to accountability and has brought out the Ranking Digital Rights 2015 Corporate Accountability Index that has analysed a representative group of 16 companies "that collectively hold the power to shape the digital lives of billions of people across the globe".

Suggestions on Transparency

It is clear from the discussions above, as well as a general overview of various news reports on the subject, that telecom surveillance in India is shrouded in secrecy and it appears that a large amount of illegal and unauthorized surveillance is taking place behind the protection of this veil of secrecy. If the status quo continues, then it is unlikely that any meaningful reforms would take place to bring about greater accountability in the area of telecom surveillance. It is imperative, for any sort of changes towards greater accountability to take place, that we have enough information about what exactly is happening and for that we need greater transparency since transparency is the first step towards greater accountability.

Transparency Reports

In very simplistic terms transparency, in anything, can best be achieved by providing as much information about that thing as possible so that there are no secrets left. However, it would be naïve to say that all information about interception activities can be made public on the altar of the principle of transparency, but that does not mean that there should be no information at all on interception. One of the internationally accepted methods of bringing about transparency in interception mechanisms, which is increasingly being adopted by both the private sector as well as governments, is to publish Transparency Reports giving various details of interception while keeping security concerns in mind. The two types of transparency reports that we require in India and what that would entail is briefly discussed below:

By the Government

The problem with India's current regime for interception is that the entire mechanism appears more or less adequate on paper with enough checks and balances involved in it to prevent misuse of the allotted powers. However, because the entire process is veiled in secrecy, nobody knows exactly how good or how rotten the system has become and whether it is working to achieve its intended purposes. It is clear that the current system of interception and surveillance being followed by the government has some flaws, as can be gathered from the frequent news articles which talk about incidents of illegal surveillance. However, without any other official or more reliable sources of information regarding surveillance activities these anecdotal pieces of evidence are all we have to shape the debate regarding surveillance in India. It is only logical then that the debate around surveillance, which is informed by such sketchy and unreliable news reports will automatically be biased against the current mechanism since the newspapers would also only be interested in reporting the scandalous and the extraordinary incidents. For example, some argue that the government undertakes mass surveillance, while others argue that India only carries out targeted surveillance, but there is not enough information publicly available for a third party to support or argue against either claim. It is therefore necessary and highly recommended that the government start releasing a transparency report such as the one's brought out by the United States and the UK as mentioned above.

There is no need for a separate department or authority just to make the transparency report and this task could probably be performed in-house by any department, but considering the sector involved, it would perhaps be best if the Department of Telecommunications is given the responsibility to bring out a transparency report. These transparency reports should contain certain minimum amount of data for them to be an effective tool in informing the public discourse and debate regarding surveillance and interception. The report needs to strike a balance between providing enough information so that an informed analysis can be made of the effectiveness of the surveillance regime without providing so much information so as to make the surveillance activities ineffective. Below is a list of suggestions as to what kind of data/information such reports should contain:

• Reports should contain data regarding the number of interception orders that have been passed. This statistic would be extremely useful in determining how elaborate and how frequently the state indulges in interception activities. This information would be easily available since all interception orders have to be sent to the Review Committee set up under Rule 419A of the Telegraph Rules, 1954.
• The Report should contain information on the procedural aspects of surveillance including the delegation of powers to different authorities and individuals, information on new surveillance schemes, etc. This information would also be available with the Ministry of Home Affairs since it is a Secretary or Joint Secretary level officer in the said Ministry which is supposed to authorize every order for interception.
• The report should contain an aggregated list of reasons given by the authorities for ordering interception. This information would reveal whether the authorities are actually ensuring legal justification before issuing interception or are they just paying lip service to the rules to ensure a proper paper trail. Since every order of interception has to be in writing, the main reasons for interception can easily be gleaned from a perusal of the orders.
• It should also reveal the percentage of cases where interception has actually found evidence of culpability or been successful in prevention of criminal activities. This one statistic would itself give a very good review of the effectiveness of the interception regime. Granted that this information may not be very easily obtainable, but it can be obtained with proper coordination with the police and other law enforcement agencies.
• The report should also reveal the percentage of order that have been struck down by the Review Committee as not following the process envisaged under the various Rules. This would give a sense of how often the Rules are being flouted while issuing interception orders. This information can easily be obtained from the papers and minutes of the meetings of the Review Committee.
• The report should also state the number of times the Review Committee has met in the period being reported upon. The Review Committee is an important check on the misuse of powers by the authorities and therefore it is important that the Review Committee carries out its activities in a diligent manner.

It may be noted here that some provisions of the Telegraph Rules, 1954 especially sub-Rules 17 and 18 of Rule 419A as well as Rules 22, 23(1) and 25 of the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 may need to be amended so as to make them compliant with the reporting mechanism proposed above.

By the Private Sector

We have already discussed above the transparency reports published by certain private companies. Suffice it to say that reports from private companies should give as much of the information discussed under government reports as possible and/or applicable, since they may not have a large amount of the information that is sought to be published in the government reports such as whether the interception was successful, the reasons for interception, etc. It is important to have ISPs provide such transparency reports as this will provide two different data points for information on interception and the very existence of these private reports may act as a check to ensure the veracity of the government transparency reports.

As in the case of government reports, for the transparency reports of the private sector to be effective, certain provisions of the Telegraph Rules, 1954 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009, viz. sub-Rules 14, 15 and 19 of Rule 419A of the Telegraph Rules, 1954 and Rules 20, 21, 23(1) and 25 of the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009.

Overhaul of the Review Committee

The Review Committee which acts as a check on the misuse of powers by the competent authorities is a very important cog in the entire process. However, it is staffed entirely by the executive and does not have any members of any other background. Whilst it is probably impractical to have civilian members in the Review Committee which has access to potentially sensitive information, it is extremely essential that the Committee has wider representation from other sectors specially the judiciary. One or two members from the judiciary on the Review Committee would provide a greater check on the workings of the Committee as this would bring in representation from the judicial arm of the State so that the Review Committee does not remain a body manned purely by the executive branch. This could go some ways to ensure that the Committee does not just "rubber stamp" the orders of interception issued by the various competent authorities.

Conclusion

It is not in dispute that there is a need for greater transparency in the government's surveillance activities in order to address the problems associated with illegal and unauthorised interceptions. This paper is not making the case that greater transparency in and by itself will be able to solve the problems that may be associated with the government's currency interception and surveillance regime, however it is not possible to address any problem unless we know the real extent of it. It is essential for an informed debate and discussion that the people participating in the discussion are "informed", i.e. they should have accurate and adequate information regarding the issues which are being discussed. The current state of the debate on interception is rife with individuals using illustrative and anecdotal evidence which, in the absence of any other evidence, they assume to be the norm.

A more transparent and forthcoming state machinery which regularly keeps its citizens abreast of the state of its surveillance regime would be likely to get better suggestions and perhaps less criticisms if it does come out that the checks and balances imposed in the regulations are actually making a difference to check unauthorized interceptions, and if not, then it is the right of the citizens to know about this and ask for reforms.

I. Introduction

"The period that we have embarked upon is unprecedented in history in terms of our ability to learn about human behavior." [1]

The world we live in today is facing a slow but deliberate metamorphosis of decisive information; from the erstwhile monopoly of world leaders and the captains of industry obtained through regulated means, it has transformed into a relatively undervalued currency of knowledge collected from individual digital expressions over a vast network of interconnected electrical impulses.[2] This seemingly random deluge of binary numbers, when interpreted represents an intricately woven tapestry of the choices that define everyday life, made over virtual platforms. The machines we once employed for menial tasks have become sensorial observers of our desires, wants and needs, so much so that they might now predict the course of our future choices and decisions.[3] The patterns of human behaviour that are reflected within this data inform policy makers, in both a public and private context. The collective data obtained from our digital shadows thus forms a rapidly expanding storehouse of memory, from which interested parties can draw upon to resolve problems and enable a more efficient functioning of foundational institutions, such as the markets, the regulators and the government.[4]

The term used to describe a large volume of collected data, in a structured as well as unstructured form is called Big Data. This data requires niche technology, outside of traditional software databases, to process; simply because of its exponential increment in a relatively short period of time. Big Data is usually identified using a "three V" characterization - larger volume, greater variety and distinguishably high rates of velocity. [5] This is exemplified in the diverse sources from which this data is obtained; mobile phone records, climate sensors, social media content, GPS satellite identifications and patterns of employment, to name a few. Big data analytics refers to the tools and methodologies that aim to transform large quantities of raw data into "interpretable data", in order to study and discern the same so that causal relationships between events can be conclusively established.[6] Such analysis could allow for the encouragement of the positive effects of such data and a concentrated mitigation of negative outcomes.

This paper seeks to map out the practices of different governments, civil society, and the private sector with respect to the collection, interpretation and analysis of big data in the global south, illustrated across a background of significant events surrounding the use of big data in relevant contexts. This will be combined with an articulation of potential opportunities to use big data analytics within both the public and private spheres and an identification of the contextual challenges that may obstruct the efficient use of this data. The objective of this study is to deliberate upon how significant obstructions to the achievement of developmental goals within the global south can be overcome through an accurate recognition, interpretation and analysis of big data collected from diverse sources.

II. Uses of Big Data in the Global Development

Big Data for development is the process though which raw, unstructured and imperfect data is analyzed, interpreted and transformed into information that can be acted upon by governments and policy makers in various capacities. The amount of digital data available in the world today has grown from 150 exabytes in 2005 to 1200 exabytes in 2010.[7] It is predicted that this figure would increase by 40% annually in the next few years[8], which is close to 40 times growth of the world's population. [9] The implication of this is essentially that the share of available data in the world today that is less than a minute old is increasing at an exponential rate. Moreover, an increasing percentage of this data is produced and created real-time.

The data revolution that is incumbent upon us is characterized by a rapidly accumulating and continuously evolving stock of data prevalent` in both industrialized as well as developing countries. This data is extracted from technological services that act as sensors and reflect the behaviour of individuals in relation to their socio-economic circumstances.

For many global south countries, this data is generated through mobile phone technology. This trend is evident in Sub Saharan Africa, where mobile phone technology has been used as an effective substitute for often weak and unstructured State mechanisms such as faulty infrastructure, underdeveloped systems of banking and inferior telecommunication networks.[10]

For example, a recent study presented at the Data for Development session at the NetMob Conference at MIT used mobile phone data to analyze the impact of opening a new toll highway in Dakar, Senegal on human mobility, particularly how people commute to work in the metropolitan area. ^[11] A huge investment, the improved infrastructure is expected to result in a significant increase of people in and out of Dakar, along with the transport of essential goods. This would initiate rural development in the areas outside of Dakar and boost the value of land within the region.^[12] The impact of the newly constructed highway can however only be analyzed effectively and accurately through the collection of this mobile phone data from actual commuters, on a real time basis.

Mobile phones technology is no longer used just for personal communication but has been transformed into an effective tool to secure employment opportunities, transfer money, determine stock options and assess the prices of various commodities.[13] This generates vast amounts of data about individuals and their interactions with the government and private sector companies. Internet Traffic is predicted to grow between 25 to 30 % in the next few years in North America, Western Europe and Japan but in Latin America, The Middle East and Africa this figure has been expected to touch close to 50%.[14] The bulk of this internet traffic can be traced back to mobile devices.

The potential applicability of Big Data for development at the most general level is the ability to provide an overview of the well being of a given population at a particular period of time.[15] This overcomes the relatively longer time lag that is prevalent with most other traditional forms of data collection. The analysis of this data has helped, to a large extent, uncover "digital smoke signals" - or inherent changes in the usage patterns of technological services, by individuals within communities.[16] This may act as an indicator of the changes in the underlying well-being of the community as a whole. This information about the well-being of a community derived from their usage of technology provides significantly relevant feedback to policy makers on the success or failure of particular schemes and can pin point changes that need to be made to status quo. [17]The hope is that this feedback delivered in real-time, would in turn lead to a more flexible and accessible system of international development, thus securing more measurable and sustained outcomes. [18]

The analysis of big data involves the use of advanced computational technology that can aid in the determination of trends, patterns and correlations within unstructured data so as to transform it into actionable information. It is hoped that this in addition to the human perspective and experience afforded to the process could enable decision makers to rely upon information that is both reliable and up to date to formulate durable and self-sustaining development policies.

The availability of raw data has to be adequately complemented with intent and a capacity to use it effectively. To this effect, there is an emerging volume of literature that seeks to characterize the primary sources of this Big Data as sharing certain easily distinguishable features. Firstly, it is digitally generated and can be stored in a binary format, thus making it susceptible to requisite manipulation by computers attempting to engage in its interpretation. It is passively produced as a by-product of digital interaction and can be automatically extracted for the purpose of continuous analysis. It is also geographically traceable within a predetermined time period. It is however important to note that "real time" does not necessarily refer to information occurring instantly but is reflective of the relatively short time in which the information is produced and made available thus making it relevant within the requisite timeframe. This allows efficient responsive action to be taken in a short span of time thus creating a feedback loop. [19]

In most cases the granularity of the data is preferably sought to be expanded over a larger spatial context such as a village or a community as opposed to an individual simply because this affords an adequate recognition of privacy concerns and the lack of definitive consent of the individuals in the extraction of this data. In order to ease the process of determination of this data, the UN Global Pulse has developed taxonomy of sorts to assess the types of data sources that are relevant to utilizing this information for development purposes.[20] These include the following sources;

Data Exhaust or the digital footprint left behind by individuals' use of technology for service oriented tasks such as web purchases, mobile phone transactions and real time information collected by UN agencies to monitor their projects such as levels of food grains in storage units, attendance in schools etc.

Online Information which includes user generated content on the internet such as news, blog entries and social media interactions which may be used to identify trends in human desires, perceptions and needs.

Physical sensors such as satellite or infrared imagery of infrastructural development, traffic patterns, light emissions and topographical changes, thus enabling the remote sensing of changes in human activity over a period of time.

Citizen reporting or crowd sourced data , which includes information produced on hotlines, mobile based surveys, customer generated maps etc. Although a passive source of data collection, this is a key instrument in assessing the efficacy of action oriented plans taken by decision makers.

The capacity to analyze this big data is hinged upon the reliance placed on technologically advanced processes such as powerful algorithms which can synthesize the abundance of raw data and break down the information enabling the identification of patterns and correlations. This process would rely on advanced visualization techniques such "sense-making tools"[21]

The identification of patterns within this data is carried out through a process of instituting a common framework for the analysis of this data. This requires the creation of a specific lexicon that would help tag and sort the collected data. This lexicon would specify what type of information is collected and who it is interpreted and collected by, the observer or the reporter. It would also aid in the determination of how the data is acquired and the qualitative and quantitative nature of the data. Finally, the spatial context of the data and the time frame within which it was collected constituting the aspects of where and when would be taken into consideration. The data would then be analyzed through a process of Filtering, Summarizing and Categorizing the data by transforming it into an appropriate collection of relevant indicators of a particular population demographic. [22]

The intensive mining of predominantly socioeconomic data is known as "reality mining" [23] and this can shed light on the processes and interactions that are reflected within the data. This is carried out via a tested three fold process. Firstly, the " Continuous Analysis over the streaming of the data", which involves the monitoring and analyzing high frequency data streams to extract often uncertain raw data. For example, the systematic gathering of the prices of products sold online over a period of time. Secondly, "The Online digestion of semi structured data and unstructured data", which includes news articles, reviews of services and products and opinion polls on social media that aid in the determination of public perception, trends and contemporary events that are generating interest across the globe. Thirdly, a 'Real-time Correlation of streaming data with slowly accessible historical data repositories,' which refers to the "mechanisms used for correlating and integrating data in real-time with historical records."[24] The purpose of this stage is to derive a contextualized perception of personalized information that seeks to add value to the data by providing a historical context to it. Big Data for development purposes would make use of a combination of these depending on the context and need.

(i) Policy Formulation

The world today has become increasingly volatile in terms of how the decisions of certain countries are beginning to have an impact on vulnerable communities within entirely different nations. Our global economy has become infinitely more susceptible to fluctuating conditions primarily because of its interconnectivity hinged upon transnational interdependence. The primordial instigators of most of these changes, including the nature of harvests, prices of essential commodities, employment structures and capital flows, have been financial and environmental disruptions. [25] According to the OECD, " Disruptive shocks to the global economy are likely to become more frequent and cause greater economic and social hardship. The economic spillover effects of events like the financial crisis or a potential pandemic will grow due to the increasing interconnectivity of the global economy and the speed with which people, goods and data travel."[26]

The local impacts of these fluctuations may not be easily visible or even traceable but could very well be severe and long lasting. A vibrant literature on the vulnerability of communities has highlighted the impacts of these shocks on communities often causing children to drop out of school, families to sell their productive assets, and communities to place a greater reliance on state rations.[27] These vulnerabilities cannot be definitively discerned through traditional systems of monitoring and information collection. The evidence of the effects of these shocks often take too long to reach decision makers; who are unable to formulate effective policies without ascertaining the nature and extent of the hardships suffered by these in a given context. The existing early warning systems in place do help raise flags and draw attention to the problem but their reach is limited and veracity compromised due to the time it takes to extract and collate this information through traditional means. These traditional systems of information collection are difficult to implement within rural impoverished areas and the data collected is not always reliable due to the significant time gap in its collection and subsequent interpretation. Data collected from surveys does provide an insight into the state of affairs of communities across demographics but this requires time to be collected, processed, verified and eventually published. Further, the expenses incurred in this process often prove to be difficult to offset.

The digital revolution therefore provides a significant opportunity to gain a richer and deeper insight into the very nature and evolution of the human experience itself thus affording a more legitimate platform upon which policy deliberations can be articulated. This data driven decision making, once the monopoly of private institutions such as The World Economic Forum and The McKinsey Institute [28] has now emerged at the forefront of the public policy discourse. Civil society has also expressed an eagerness to be more actively involved in the collection of real-time data after having perceived its benefits. This is evidenced by the emergence of 'crowd sourcing'[29] and other 'participatory sensing' [30] efforts that are founded upon the commonalities shared by like minded communities of individuals. This is being done on easily accessible platforms such as mobile phone interfaces, hand-held radio devices and geospatial technologies. [31]

The predictive nature of patterns identifiable from big data is extremely relevant for the purpose of developing socio-economic policies that seek to bridge problem-solution gaps and create a conducive environment for growth and development. Mobile phone technology has been able to quantify human behavior on an unprecedented scale.[32] This includes being able to detect changes in standard commuting patterns of individuals based on their employment status[33] and estimating a country's GDP in real-time by measuring the nature and extent of light emissions through remote sensing. [34]

A recent research study has concluded that "due to the relative frequency of certain queries being highly correlated with the percentage of physician visits in which individuals present influenza symptoms, it has been possible to accurately estimate the levels of influenza activity in each region of the United States, with a reporting lag of just a day." Online data has thus been used as a part of syndromic surveillance efforts also known as infodemiology. [35] The US Centre for Disease Control has concluded that mining vast quantities of data through online health related queries can help detect disease outbreaks " before they have been confirmed through a diagnosis or a laboratory confirmation." [36] Google trends works in a similar way.

Another public health monitoring system known as the Healthmap project compiles seemingly fragmented data from news articles, social media, eye-witness reports and expert discussions based on validated studies to "achieve a unified and comprehensive view of the current global state of infectious diseases" that may be visualized on a map. [37]

Big Data used for development purpose can reduce the reliance on human inputs thus narrowing the room for error and ensuring the accuracy of information collected upon which policy makers can base their decisions.

(ii) Advocacy and Social Change

Due to the ability of Big Data to provide an unprecedented depth of detail on particular issues, it has often been used as a vehicle of advocacy to highlight various issues in great detail. This makes it possible to ensure that citizens are provided with a far more participative experience, capturing their attention and hence better communicating these problems. Numerous websites have been able to use this method of crowd sourcing to broadcast socially relevant issues[38]. Moreover, the massive increase in access to the internet has dramatically improved the scope for activism through the use of volunteered data due to which advocates can now collect data from volunteers more effectively and present these issues in various forums. Websites like Ushahidi[39] and the Black Monday Movement [40] being prime examples of the same. These platforms have championed various causes, consistently exposing significant social crises' that would otherwise go unnoticed.

The Ushahidi application used crowd sourcing mechanisms in the aftermath of the Haiti earthquake to set up a centralized messaging system that allowed mobile phone users to provide information on injured and trapped people.[41] An analysis of the data showed that the concentration of text messages was correlated with the areas where there was an increased concentration of damaged buildings. [42] Patrick Meier of Ushahidi noted "These results were evidence of the system's ability to predict, with surprising accuracy and statistical significance, the location and extent of structural damage post the earthquake." [43]

Another problem that data advocacy hopes to tackle, however, is that of too much exposure, with advocates providing information to various parties to help ensure that there exists no unwarranted digital surveillance and that sensitive advocacy tools and information are not used inappropriately. An interesting illustration of the same is The Tactical Technology Collective[44] that hopes to improve the use of technology by activists and various other political actors. The organization, through various mediums such as films, events etc. hopes to train activists regarding data protection and privacy awareness and skills among human rights activists. Additionally, Tactical Technology also assists in ensuring that information is used in an appealing and relevant manner by human rights activists and in the field of capacity building for the purposes of data advocacy.

Observed data such as mobile phone records generated through network operators as well as through the use of social media are beginning to embody an omnipotent role in the development of academia through detailed research. This is due to the ability of this data to provide microcosms of information within both contexts of finer granularity and over larger public spaces. In the wake of natural disasters, this can be extremely useful, as reflected by the work of Flowminder after the 2010 Haiti earthquake.[45] A similar string of interpretive analysis can be carried out in instances of conflict and crises over varying spans of time. Flowminder used the geospatial locations of 1.9 million subscriber identity modules in Haiti, beginning 42 days before the earthquake and 158 days after it. This information allowed researches to empirically determine the migration patterns of population post the earthquake and enabled a subsequent UNFPA household survey.[46] In a similar capacity, the UN Global Pulse is seeking to assist in the process of consultation and deliberation on the specific targets of the millennium development goals through a framework of visual analytics that represent the big data procured on each of the topics proposed for the post- 2015 agenda online.[47]

A recent announcement of collaboration between RTI International, a non-profit research organization and IBM research lab looks promising in its initiative to utilize big data analytics in schools within Mombasa County, Kenya.[48] The partnership seeks to develop testing systems that would capture data that would assist governments, non-profit organizations and private enterprises in making more informed decisions regarding the development of education and human resources within the region. Äs observed by Dr. Kamal Bhattacharya, The Vice President of IBM Research, "A significant lack of data on Africa in the past has led to misunderstandings regarding the history, economic performance and potential of the government." The project seeks to improve transparency and accountability within the schooling system in more than 100 institutions across the county. The teachers would be equipped with tablet devices to collate the data about students, classrooms and resources. This would allow an analysis of the correlation between the three aspects thus enabling better policy formulation and a more focused approach to bettering the school system. [49] This is a part of the United States Agency for International Development's Education Data for Decision Making (EdData II) project. According to Dr Kommy Weldemariam, Research Scientist , IBM Research, "… there has been a significant struggle in making informed decisions as to how to invest in and improve the quality and content of education within Sub-Saharan Africa. The Project would create a school census hub which would enable the collection of accurate data regarding performance, attendance and resources at schools. This would provide valuable insight into the building of childhood development programs that would significantly impact the development of an efficient human capital pool in the near future."[50]

A similar initiative has been undertaken by Apple and IBM in the development of the "Student Achievement App" which seeks to use this data for "content analysis of student learning". The Application as a teaching tool that analyses the data provided to develop actionable intelligence on a per-student basis." [51] This would give educators a deeper understanding of the outcome of teaching methodologies and subsequently enable better leaning. The impact of this would be a significant restructuring of how education is delivered. At a recent IBM sponsored workshop on education held in India last year , Katharine Frase, IBM CTO of Public Sector predicted that "classrooms will look significantly different within a decade than they have looked over the last 200 years."[52]

(iii) Access and the exchange of information

Big data used for development serves as an important information intermediary that allows for the creation of a unified space within which unstructured heterogeneous data can be efficiently organized to create a collaborative system of information. New interactive platforms enable the process of information exchange though an internal vetting and curation that ensures accessibility to reliable and accurate information. This encourages active citizen participation in the articulation of demands from the government, thus enabling the actualization of the role of the electorate in determining specific policy decisions.

The Grameen Foundation's AppLab in Kampala aids in the development of tools that can use the information from micro financing transactions of clients to identify financial plans and instruments that would be be more suitable to their needs.[53] Thus, through working within a community, this technology connects its clients in a web of information sharing that they both contribute to and access after the source of the information has been made anonymous. This allows the individual members of the community to benefit from this common pool of knowledge. The AppLab was able to identify the emergence of a new crop pest from an increase in online searches for an unusual string of search terms within a particular region. Using this as an early warning signal, the Grameen bank sent extension officers to the location to check the crops and the pest contamination was dealt with effectively before it could spread any further.[54]

(iv) Accountability and Transparency

Big data enables participatory contributions from the electorate in existing functions such as budgeting and communication thus enabling connections between the citizens, the power brokers and elites. The extraction of information and increasing transparency around data networks is also integral to building a self-sustaining system of data collection and analysis. However it is important to note that this information collected must be duly analyzed in a responsible manner. Checking the veracity of the information collected and facilitating individual accountability would encourage more enthusiastic responses from the general populous thus creating a conducive environment to elicit the requisite information. The effectiveness of the policies formulated by relying on this information would rest on the accuracy of such information.

An example of this is Chequeado, a non-profit Argentinean media outlet that specializes in fact-checking. It works on a model of crowd sourcing information on the basis of which it has fact checked everything from the live presidential speech to congressional debates that have been made open to the public. [55] It established a user friendly public database, DatoCHQ, in 2014 which allowed its followers to participate in live fact-checks by sending in data, which included references, facts, articles and questions, through twitter. [56] This allowed citizens to corroborate the promises made by their leaders and instilled a sense of trust in the government.

III. Big Data and Smart Cities in the Global South

Smart cities have become a buzzword in South Asia, especially after the Indian government led by Prime Minister Narendra Modi made a commitment to build 100 smart cities in India[57]. A smart city is essentially designed as a hub where the information and communication technologies (ICT) are used to create feedback loops with an almost minimum time gap. In traditional contexts, surveys carried out through a state sponsored census were the only source of systematic data collection. However these surveys are long drawn out processes that often result in a drain on State resources. Additionally, the information obtained is not always accurate and policy makers are often hesitant to base their decisions on this information. The collection of data can however be extremely useful in improving the functionality of the city in terms of both the 'hard' or physical aspects of the infrastructural environment as well as the 'soft' services it provides to citizens. One model of enabling this data collection, to this effect, is a centrally structured framework of sensors that may be able to determine movements and behaviors in real-time, from which the data obtained can be subsequently analyzed. For example, sensors placed under parking spaces at intersections can relay such information in short spans of time. South Korea has managed to implement a similar structure within its smart city, Songdo.[58]

Another approach to this smart city model is using crowd sourced information through apps, either developed by volunteers or private conglomerates. These allow for the resolving of specific problems by organizing raw data into sets of information that are attuned to the needs of the public in a cohesive manner. However, this system would require a highly structured format of data sets, without which significantly transformational result would be difficult to achieve.[59]

There does however exist a middle ground, which allows the beneficiaries of this network, the citizens, to take on the role of primary sensors of information. This method is both cost effective and allows for an experimentation process within which an appropriate measure of the success or failure of the model would be discernible in a timely manner. It is especially relevant in fast growing cities that suffer congestion and breakdown of infrastructure due to the unprecedented population growth. This population is now afforded with the opportunity to become a part of the solution.

The principle challenge associated with extracting this Big Data is its restricted access. Most organizations that are able to collect this big data efficiently are private conglomerates and business enterprises, who use this data to give themselves a competitive edge in the market, by being able to efficiently identify the needs and wants of their clientele. These organizations are reluctant to release information and statistics because they fear it would result in them losing their competitive edge and they would consequently lose the opportunity to benefit monetarily from the data collected. Data leaks would also result in the company getting a bad name and its reputation could be significantly hampered. Despite the individual anonymity, the transaction costs incurred in ensuring the data of their individual customers is protected is often an expensive process. In addition to this there is a definite human capital gap resulting from the significant lack of scientists and analysts to interpret raw data transmitted across various channels.

(i) Big Data in Urban Planning

Urban planning would require data that is reflective of the land use patterns of communities, combined with their travel descriptions and housing preferences. The mobility of individuals is dependent on their economic conditions and can be determined through an analysis of their purchases, either via online transactions or from the data accumulated by prominent stores. The primary source of this data is however mobile phones, which seemed to have transcend economic barriers. Secondary sources include cards used on public transport such as the Oyster card in London and the similar Octopus card used in Hong Kong. However, in most developing countries these cards are not available for public transport systems and therefore mobile network data forms the backbone of data analytics. An excessive reliance on the data collected through Smart phones could however be detrimental, especially in developing countries, simply because the usage itself would most likely be concentrated amongst more economically stable demographics and the findings from this data could potentially marginalize the poor.[60]

Mobile network big data (MNBD) is generated by all phones and includes CDRs, which are obtained from calls or texts that are sent or received, internet usage, topping up a prepaid value and VLR or Visitor Location Registry data which is generated whenever the phone is question has power. It essentially communicates to the Base Transceiver Stations (BSTs) that the phone is in the coverage area. The CDR includes records of calls made, duration of the call and information about the device. It is therefore stored for a longer period of time. The VLR data is however larger in volume and can be written over. Both VLR and CDR data can provide invaluable information that can be used for urban planning strategies. [61] LIRNEasia, a regional policy and regulation think-tank has carried out an extensive study demonstrating the value of MNBD in SriLanka.[62] This has been used to understand and sometimes even monitor land use patterns, travel patterns during peak and off seasons and the congregation of communities across regions. This study was however only undertaken after the data had been suitably pseudonymised.[63] The study revealed that MNBD was incredibly valuable in generating important information that could be used by policy formulators and decision makers, because of two primary characteristics. Firstly, it comes close to a comprehensive coverage of the demographic within developing countries, thus using mobile phones as sensors to generate useful data. Secondly, people using mobile phones across vast geographic areas reflect important information regarding patterns of their travel and movement. [64]

MNBD allows for the tracking and mapping of changes in population densities on a daily basis, thus identifying 'home' and 'work' locations, informing policy makers of population congestion so that thy may be able to formulate policies with respect to easing this congestion. According to Rohan Samarajiva, founding chair of LIRNEasia, "This allows for real-time insights on the geo-spatial distribution of population, which may be used by urban planners to create more efficient traffic management systems."^[65] This can also be used for the developmental economic policies. For example, the northern region of Colombo, a region inhabited by the low income families shows a lower population density on weekdays. This is reflective of the large numbers travelling to southern Colombo for employment. ^[66]Similarly, patterns of land use can be ascertained by analyzing the various loading patterns of base stations. Building on the success of the Mobile Data analysis project in SriLanka LIRNEasia plans to collaborate with partners in India and Bangladesh to assimilate real time information about the behavioral tendencies of citizens, using which policy makers may be able to make informed decisions. When this data is combined with user friendly virtual platforms such as smartphone Apps or web portals, it can also help citizens make informed choices about their day to day activities and potentially beneficial long term decisions. ^[67]

Challenges of using Mobile Network Data

Mobile networks invest significant sums of money in obtaining information regarding usage patterns of their services. Consequently, they may use this data to develop location based advertizing. In this context, there is a greater reluctance to share data for public purposes. Allowing access to one operator's big data by another could result in significant implications on the other with respect to the competitive advantage shared by the operator. A plausible solution to this conundrum is the accumulation of data from multiple sources without separating or organizing it according to the source it originates from. There is thus a lesser chance of sensitive information of one company being used by another. However, even operators do have concerns about how the data would be handled before this "mashing up" occurs and whether it might be leaked by the research organization itself. LIRNEasia used comprehensive non-disclosure agreements to ensure that the researchers who worked with the data were aware of the substantial financial penalties that may be imposed on them for data breaches. The access to the data was also restricted. [68]

Another line of argumentation advocates for the open sharing of data. A recent article in the Economist has articulated this in the context of the Ebola outbreak in West Africa. " Releasing the data, though, is not just a matter for firms since people's privacy is involved. It requires governmental action as well. Regulators in each affected country would have to order operators to make their records accessible to selected researchers, who through legal agreements would only be allowed to use the data in a specific manner. For example, Orange, a major mobile phone network operator has made millions of CDRs from Senegal and The Ivory Coast available for researchers for their use under its Data Development Initiative. However the Political will amongst regulators and Network operators to do this seems to be lacking."[69]

It would therefore be beneficial for companies to collaborate with the customers who create the data and the researchers who want to use it to extract important insights. This however would require the creation of and subsequent adherence to self regulatory codes of conduct. [70] In addition to this cooperation between network operators will assist in facilitating the transference of the data of their customers to research organizations. Sri Lanka is an outstanding example of this model of cooperation which has enabled various operators across spectrums to participate in the mobile-money enterprise.[71]

(ii) Big Data and Government Delivery of Services and Functions

The analysis of Data procured in real time has proven to be integral to the formulation of policies, plans and executive decisions. Especially in an Asian context, Big data can be instrumental in urban development, planning and the allocation of resources in a manner that allows the government to keep up with the rapidly growing demands of an empowered population whose numbers are on an exponential rise. Researchers have been able to use data from mobile networks to engage in effective planning and management of infrastructure, services and resources. If, for example, a particular road or highway has been blocked for a particular period of time an alternative route is established before traffic can begin to build up creating a congestion, simply through an analysis of information collected from traffic lights, mobile networks and GPS systems.[72]

There is also an emerging trend of using big data for state controlled services such as the military. The South Korean Defense Minister Han Min Koo, in his recent briefing to President Park Geun-hye reflected on the importance of innovative technologies such as Big Data solutions. [73]

The Chinese government has expressed concerns regarding data breaches and information leakages that would be extremely dangerous given the exceeding reliance of governments on big data. A security report undertaken by Qihoo 360, China's largest software security provider established that 2,424 of the 17,875 Web security loopholes were on government websites. Considering the blurring line between government websites and external networks, it has become all the more essential for authorities to boost their cyber security protections.[74]

The Japanese government has considered investing resources in training more data scientists who may be able to analyze the raw data obtained from various sources and utilize requisite techniques to develop an accurate analysis. The Internal Affairs and Communication Ministry planned to launch a free online course on big data, the target of which would be corporate workers as well as government officials.[75]

Data analytics is emerging as an efficient technique of monitoring the public transport management systems within Singapore. A recent collaboration between IBM, StarHub, The Land Transport Authority and SMRT initiated a research study to observe the movement of commuters across regions. ^[76] This has been instrumental in revamping the data collection systems already in place and has allowed for the procurement of additional systems of monitoring.^[77] The idea is essentially to institute a "black box" of information for every operational unit that allows for the relaying of real-time information from sources as varied as power switches, tunnel sensors and the wheels, through assessing patterns of noise and vibration. ^[78]

In addition to this there are numerous projects in place that seek to utilize Big Data to improve city life. According to Carlo Ritti, Director of the MIT Senseable City Lab, "We are now able to analyze the pulse of a city from moment to moment. Over the past decade, digital technologies have begun to blanket our cities, forming the backbone of a large, intelligent infrastructure." ^[79] The professor of Information Architecture and Founding Director of the Singapore ETH Centre, Gerhart Schmitt has observed that "the local weather has a major impact on the behavior of a population." In this respect the centre is engaged in developing a range of visual platforms to inform citizens on factors such as air quality which would enable individuals to make everyday choices such as what route to take when planning a walk or predict a traffic jam. ^[80] Schmitt's team has also been able to arrive at a pattern that connects the demand for taxis with the city's climate. The amalgamation of taxi location with rainfall data has been able to help locals hail taxis during a storm. This form of data can be used in multiple ways allowing the visualization of temperature hotspots based on a "heat island" effect where buildings, cars and cooling units cause a rise in temperature. ^[81]

Microsoft has recently entered into a partnership with the Federal University of Minas Gerais, one of the largest universities in Brazil to undertake a research project that could potentially predict traffic jams up to an hour in advance. ^[82] The project attempts to analyze information from transport departments, road traffic cameras and drivers social network profiles to identify patterns that they could use to help predict traffic jams approximately 15 to 60 minutes before they actually happen.^[83]

In anticipation of the increasing demand for professionals with requisite training in data sciences, the Malaysian Government has planned to increase the number of local data scientists from the present 80 to 1500 by 2020, through the support of the universities within the country.

IV. Big Data and the Private Sector in the Global South

Essential considerations in the operations of Big Data in the Private sector in the Asia Pacific region have been extracted by a comprehensive survey carried out by the Economist Intelligence Unit.[84] Over 500 executives across the Asia Pacific region were surveyed, from across industries representing a diverse range of functions. 69% of these companies had an annual turnover of over US $500m. The respondents were senior managers responsible for taking key decisions with regard to investment strategies and the utilization of big data for the same.

The results of the Survey conclusively determined that firms in the Asia Pacific region have had limited success with implementing Big Data Practices. A third of the respondents claimed to have an advanced knowledge of the utilization of big data while more than half claim to have made limited progress in this regard. Only 9% of the Firms surveyed cited internal barriers to implementing big data practices. This included a significant difficulty in enabling the sharing of information across boundaries. Approximately 40% of the respondents surveyed claimed they were unaware of big data strategies, even if they had in fact been in place simply because these had been poorly communicated to them. Almost half of the firms however believed that big data plays an important role in the success of the firm and that it can contribute to increasing revenue by 25% or more.

Numerous obstacles in the adoption of big data were cited by the respondents. These include the lack of suitable software to interpret the data and the lack of in-house skills to analyze the data appropriately. In addition to this, the lack of willingness on the part of various departments to share their data for the fear of a breach or leak was thought to be a major hindrance. This combined with a lack of communication between the various departments and exceedingly complicated reports that cannot be analyzed given the limited resources and lack of human capital qualified enough to carry out such an analysis, has resulted in an indefinite postponement of any policy propounding the adoption of big data practices.

Over 59% of the firms surveyed agreed that collaboration is integral to innovation and that information silos are a huge hindrance within a knowledge based economy. There is also a direct correlation between the size of the company and its progress in adopting big data, with larger firms adopting comprehensive strategies more frequently than smaller ones. A major reason for this is that large firms with substantially greater resources are able to actualize the benefits of big data analytics more efficiently than firms with smaller revenues. These businesses which have advanced policies in place outlining their strategies with respect to their reliance on big data are also more likely to communicate these strategies to their employees to ensure greater clarity in the process.

The use of big data was recently voted as the "best management practice" of the past year according to a cumulative ranking published by Chief Executive China Magazine, a Trade journal published by Global Sources on 13th January, 2015 in Beijing. The major benefit cited was the real-time information sourced from customers, which allows for direct feedback from clients when making decisions regarding changes in products or services. [85]

A significant contributor to the lack of adequate usage of data analytics is the belief that a PhD is a prerequisite for entering the field of data science. This misconception was pointed out by Richard Jones, vice president of Cloudera in the Australia, New Zealand and the Asean region. Cloudera provides businesses with the requisite professional services that they may need to effectively utilize Big Data. This includes a combination of the necessary manpower, technology and consultancy services.^[86] Deepak Ramanathan, the chief technology officer, SAS Asia Pacific believes that this skill gap can be addressed by forming data science teams within both governments and private enterprises. These teams could comprise of members with statistical, coding and business skills and allow them to work in a collaborative manner to address the problem at hand.^[87] SAS is an Enterprise Software Giant that creates tools tailored to suit business users to help them interpret big data. Eddie Toh, the planning and marketing manager of Intel's data center platform believes that businesses do not necessarily need data scientists to be able to use big data analytics to their benefit and can in fact outsource the technical aspects of the interpretation of this data as and when required.^[88]

The analytical team at Dell has forged a partnership with Brazilian Public Universities to facilitate the development of a local talent pool in the field of data analytics. The Instituto of Data Science (IDS) will provide training methodologies for in person or web based classes. ^[89] The project is being undertaken by StatSoft, a subsidiary of Dell that was acquired by the technology giant last year. ^[90]

V. Conclusion

There have emerged numerous challenges in the analysis and interpretation of Big Data. While it presents an extremely engaging opportunity, which has the potential to transform the lives of millions of individuals, inform the private sector and influence government, the actualization of this potential requires the creation of a sustainable foundational framework ; one that is able to mitigate the various challenges that present themselves in this context.

A colossal increase in the rate of digitization has resulted in an unprecedented increment in the amount of Big Data available, especially through the rapid diffusion cellular technology. The importance of mobile phones as a significant source of data, especially in low income demographics cannot be overstated. This can be used to understand the needs and behaviors of large populations, providing an in depth insight into the relevant context within which valuable assessments as to the competencies, suitability and feasibilities of various policy mechanisms and legal instruments can be made. However, this explosion of data does have a lasting impact on how individuals and organizations interact with each other, which might not always be reflected in the interpretation of raw data without a contextual understanding of the demographic. It is therefore vital to employ the appropriate expertise in assessing and interpreting this data. The significant lack of a human resource to capital to analyze this information in an accurate manner poses a definite challenge to its effective utilization in the Global South.

The legal and technological implications of using Big Data are best conceptualized within the deliberations on protecting the privacy of the contributors to this data. The primary producers of this information, from across platforms, are often unaware that they are in fact consenting to the subsequent use of the data for purposes other than what was intended. For example people routinely accept terms and conditions of popular applications without understanding where or how the data that they inadvertently provide will be used.[91] This is especially true of media generated on social networks that are increasingly being made available on more accessible platforms such as mobile phones and tablets. Privacy has and always will remain an integral pillar of democracy. It is therefore essential that policy makers and legislators respond effectively to possible compromises of privacy in the collection and interpretation of this data through the institution of adequate safeguards in this respect.

Another challenge that has emerged is the access and sharing of this data. Private corporations have been reluctant to share this data due to concerns about potential competitors being able to access and utilize the same. In addition to this, legal considerations also prevent the sharing of data collected from their customers or users of their services. The various technical challenges in storing and interpreting this data adequately also prove to be significant impediments in the collection of data. It is therefore important that adequate legal agreements be formulated in order to facilitate a reliable access to streams of data as well as access to data storage facilities to accommodate for retrospective analysis and interpretation.

In order for the use of Big Data to gain traction, it is important that these challenges are addressed in an efficient manner with durable and self-sustaining mechanisms of resolving significant obstructions. The debates and deliberations shaping the articulation of privacy concerns and access to such data must be supported with adequate tools and mechanisms to ensure a system of "privacy-preserving analysis." The UN Global Pulse has put forth the concept of data philanthropy to attempt to resolve these issues, wherein " corporations [would] take the initiative to anonymize (strip out all personal information) their data sets and provide this data to social innovators to mine the data for insights, patterns and trends in realtime or near realtime."[92]

The concept of data philanthropy highlights particular challenges and avenues that may be considered for future deliberations that may result in specific refinements to the process.

One of the primary uses of Big Data, especially in developing countries is to address important developmental issues such as the availability of clean water, food security, human health and the conservation of natural resources. Effective Disaster management has also emerged as one of the key functions of Big Data. It therefore becomes all the more important for organizations to assess the information supply chains pertaining to specific data sources in order to identify and prioritize the issues of data management. [93] Data emerging from different contexts, across different sources may appear in varied compositions and would differ significantly across economic demographics. The Big Data generated from certain contexts would be inefficient due to the unavailability of data within certain regions and the resulting studies affecting policy decisions should take into account this discrepancy. This data unavailability has resulted in a digital divide which is especially prevalent in the global south. [94]

Appropriate analysis of the Big Data generated would provide a valuable insight into the key areas and inform policy makers with respect to important decisions. However, it is necessary to ensure that the quality of this data meets a specific standard and appropriate methodological processes have been undertaken to interpret and analyze this data. The government is a key actor that can shape the ecosystem surrounding the generation, analysis and interpretation of big data. It is therefore essential that governments of countries across the global south recognize the need to collaborate with civic organizations as well technical experts in order to create appropriate legal frameworks for the effective utilization of this data.

I. Introduction

The organization of societies and states is predicated on the development of Information Technology and has begun to enable the construction of specialized networks. These networks aid in the mobilization of resources on a global platform.[1] There is a need for governance structures that embody this globalized thinking and adopt superior information technology devices to bridge gaps in the operation and participation of not only political functions but also economic processes and operations.[2] Currently, public institutions fall short of an optimum level of functioning simply because they lack the information, know-how and resources to respond effectively to this newly globalized and economically liberalized world order. Civil society is beginning to seek a greater participatory voice in both policy making and ideating, which require public institutions to institute a method of allowing this participation while at the same time retaining the crux of their functions and processes. The network society thus requires, As argued by Castells, a new methodology of social structuring, one amalgamating the analysis of social structure and social action within the same overarching framework.[3] This Network propounds itself as a 'dynamic, self-evolving structure, which, powered by information technology and communicating with the same digital language, can grow, and include all social expressions, compatible with each network's goals. Networks increase their value exponentially through their contribution to human resources, markets, raw materials and other such components of production and distribution.' [4]

As noted by Kevin Kelly,' The Atom is the past. The symbol of science for the next century is the dynamical Net.…Whereas the Atom represents clean simplicity, the Net channels the messy power of complexity. The only organization capable of nonprejudiced growth or unguided learning is a network. All other topologies limit what can happen. A network swarm is all edges and therefore open ended any way you come at it. Indeed the network is the least structured organization that can be said to have any structure at all. ..In fact a plurality of truly divergent components can only remain coherent in a network. No other arrangement - chain, pyramid, tree, circle, hub - can contain true diversity working as a whole .'[5]

A network therefore is integral to the facilitation, coordination and advocacy of different agenda within a singular framework, which seeks to formulate suitable responses to a wide range of problems across regions. An ideal model of a network would therefore be one that is reflective of the interconnectivity between relationships, strengthened by effective communication and based on a strong foundation of trust.

The most powerful element of a network is however the idea of a common purpose. The pursuit is towards similar ends and therefore the interconnected web of support it offers is in realization of a singular goal,

II. Evolution of the Network

There are certain norms that must be incorporated for a network to be able to work at its best. Robert Chambers, in his book, Whose Reality Counts? Identifies these norms and postulates their extension to every form of a network, in order to capture its creative spirit and aid in the realization of its goals.[6] A network should therefore ideally foster four fundamental elements in order to inculcate an environment of trust, encouragement and the overall actualization of its purpose. These elements are; Diversity or the encouragement of a multitude of narratives from diverse sources, Dynamism or the ability of participants to retain their individual identities while maintaining a facilitative structure, Democracy or an equitable system of decision making to enable an efficient working of the net and finally, Decentralization or the feasibility of enjoying local specifics on a global platform.[7]

In order to attain these ideal elements it is integral to strengthen certain aspects of the practice through performing specific and focused functions, these include making sure of a clear broad consensus, which ensures the co-joining of a common purpose. Additionally, centralization, in the form of an overarching set of rules must be kept to a minimum, in order to facilitate a greater level of flexibility while still providing the necessary support structure. The building of trust and solid relationships between participants is prioritized to enhance creative ideation in a supportive environment. Joint activities, more than being output oriented are seen as the knots that tie together the entire web of support. Input and participation are the foremost objectives of the network, in keeping with the understanding that "contribution brings gain". [8]

Significant management issues that plague networks include the practical aspects of bringing the network into function through efficient leadership and the consolidation of a common vision. A balanced approach would entail a common consultation on the goals of the network, the sources of funding and an agreed upon structure within which the network would operate. It is also important to create alliances outside of the sector of familiarity and ensure an inclusive environment for members across regions, allowing them to retain their localized individuality while affording them with a global platform. [9]

III. Structure

The structural informality of a network is essential to its sustenance. Networks must therefore ensure that they embody a non-hierarchized structure, devoid of bureaucratic interferences and insulated from a centralized system of control and supervision. This requires an internal system of checks and balances, consisting of periodic reviews and assessments. Networks must therefore limit the powers of supervision of the secretariat. The secretariat must allow for the coordination of its activities and allocate appropriate areas of engagement according to the relative strength of the participating members.

One form of a network structure, postulated within a particular research study is the threads, knots and Nets model. [10] It consists of members within a network bound together by threads of relationship, communication and trust. These threads represent the commonality that binds together the participants of the particular network. The threads are established through common ideas and a voluntary participation in the process of communication and conflict resolution. [11]

The knots represent the combined activities which the participants engage in, with the common goal of realizing a singular purpose. These knots signify an optimum level of activity, wherein members of the network are able to support, inspire and confer tangible benefits onto each other. The net represents the entire structure of the network, which is constructed through a confluence of relationships and common activities. [12] The structure is autonomous in nature and allows participants to contribute without losing their individual identities. It is also dynamic and flexible; incorporating new elements with relative ease. It is therefore a collaboration which affords onto its members the opportunity to expand without losing its purpose. The maintenance of such a structure requires constant review and repair, with adequate awareness of weak links or "threads" and the capability and willingness to knot them together with new participants, thereby extending the net.

For example, the Global Alliance for Vaccines and Immunization used a system of organizational "milestones" to monitor the progress of the network and keep the network concentrated. It requires a sustained institutional effort to fulfill its mandate of "the right of every child to be protected against vaccine-preventable diseases" and brings together international organizations, civil society and private industry. [13] As postulated within the Critical Choices research study of the United Nations, clearly defined milestones are integral to sustaining an effective support mechanism for donors and ensuring that all relevant participants are on board. [14] This also allows for donors to be made aware of the tangible outcomes that have been achieved by the network. Interim goals that are achievable within a short span of time also afford a sense of legitimacy onto the network, allowing it to deliver on its mandate early on. Setting milestones would require an in depth focus and a nuanced understanding of specific aspects of larger problems and delivering early results on these problems would allow for a foundational base of trust, on the foundation of which, a possibly long drawn out consultative process can be fixed.[15]

A Network might often find alliances outside of its sector of operation. For example, Greenpeace was able to make its voice heard in International Climate Change negotiations by engaging with private insurance companies and enlisting their support.[16] The organization looked towards the private sector for support to mobilize resources and enlist the requisite expertise within their various projects. [17]

A. Funding

The financial support a network receives is essential for its sustenance. The initial seed money it receives can be obtained from a single source however, cross sectoral financing is necessary to build a consensus with regards to issues that may be a part of the network's mandate. The World Commission for Dams (WCD), for example, obtains funding from multiple sources in order to retain its credibility. The sources of funding of the WCD include government agencies, multilateral organizations, business associations, NGO's and Government Agencies, without a single donor contributing more than 10% of the total funding it receives.[18] However, the difficulty with this model of funding is the relative complexity in assimilating a number of smaller contributions, which may take away from its capacity to expand its reach and enhance the scope of its work. Cross sectoral funding is less of a fundamental requirement for networks whose primary mandate is implementation, such as The Global Environment Facility (GEF), whose legitimacy is derived from intergovernmental treaties and is therefore only funded by governments.[19] The GEF has only recently broadened its sources of funding to include external contributions from the private sector.

A network can also be funded through the objective it seeks to achieve through the course of its activities. For example, Rugmark an international initiative which seeks to mitigate the use of child labor in South Asia uses an external on site monitoring system to verify and provide labels certifying the production of carpets without the use of child labor.[20] The monitors of this system are trained by Rugmark and carpet producers have to sign a binding agreement, undertaking not to employ children below the age of 14 in order to receive the certification. The funds generated from these carpets, for the import of which American and European importers pay 1% of the import value, are used to provide rehabilitation and education facilities for the children in affected areas. The use of these funds is reported regularly. [21]

The funding must be sustained for a few years, which is a difficult task for networks that require an overall consensus of participants. The greatest outcomes of the network are not tangible solutions to the problem but the facilitation of an environment which allows stakeholders to derive a tangible solution. Thus, the elements of trust, communication and collaboration are integral to the efficient functioning of the network. However, the lack of tangible outcomes exposes the funders to financial risks. The best way to reduce such risks is to institute an uncompromising time limit for the initiative, within which it must achieve tangible results or solutions that can be implemented. A less stringent approach would be to incorporate a system of periodic review and assessment of the accomplishments of the network, subsequent to which further recommendations may be made for a further course of action.[22]

B. Relationships

A three year study conducted by Newell & Swan drew definitive conclusions with respect to the inter-organizational collaboration between participants within a network. The study determined that there currently exist three types of trust; Companion trust or the trust that exists within the goodwill and friendship between participants, Competence trust, wherein the competence of other participants to carry out the tasks assigned to them is agreed upon and lastly, Commitment trust or the trust which is predicated on contractual or inter-institutional that are agreed upon. [23] While companion and competence trust are easily identifiable, commitment trust is more subjective as it is determined by the agreement surrounding the core values and overall identifiable aims. Sheppard & Tuchinsky refer to an identification based trust which is based on a collective understanding of shared values. Such a trust requires significant investment but they argue, "The rewards are commensurably greater and the he benefits go beyond quantity, efficiency and flexibility." [24] Powell postulates, "Trust and other forms of social capital are moral resources that operate in fundamentally different manner than physical capital. The supply of trust increases, rather than decreases, with use: indeed, trust can be depleted if not used." [25]

Karl Wieck endorses the "maintenance of tight control values and beliefs which allow for local adaptation within centralized systems." [26] The autonomy that participants within a network enjoy is therefore considered to be close to sacred, so as to allow them to engage with each other on an equitable footing, while still maintain their individual identities. Freedman and Reynders believe that networks place a so called 'premium' on " the autonomy of those linked through the network…..networks provide a structure through which different groups - each with their own organizational styles, substantive priorities, and political strategies - can join together for common purposes that fill needs felt by each. "[27] Consequently, lower the level of centralized control within a network, the greater the requirement of trust. Allen Nan resonates with this idea, as is evident from her review of coordinating conflict resolution NGO's. She believes that these NGO's are most effective when " beginning with a loose voluntary association which grows through relationship building, gradually building more structure and authority as it develops. No NGO wants to give away its authority until it trusts a networking body of people that it knows. " [28]

C. Communication and Collaboration

The binding force that ties together any network is the importance of relationships between participants and their interactions with organizations outside the network. Research has shown that face to face interaction works best and although email may be practical, a face-to-face meeting at regular intervals builds a level of trust amongst participants. [29] It is however important to prevent network from turning into 'self-selecting oligarchies' and to prevent this, there needs to be a balance drawn between goodwill and the trust in others' competence along with a common understanding of differently hierarchized values. [30]

There is also an impending need to develop a relationship vocabulary, as suggested by Taylor, which would be of particular use within transnational networks and afford a deeper understanding of cross cultural relationships.[31]

D. Participation

A significant issue that networks today have to address is how to inculcate and then subsequently maintain participation in the activities of the network. This would include providing incentives to participants, encouraging diversity and enabling greater creative inflow across sectors to generate innovative output. Participation involves three fundamental elements; Action, which includes active contribution in the form of talking, listening, commenting, responding and sharing information, Process, which aids in an equitable system of decision making and constructing relationships and the underpinned values associated with these two elements, which include spreading equality, inculcating openness and including previously excluded communities or individuals. [32] Participation in itself envisages a three leveled definition; participation as a contribution, where people offer a tangible input, participation as an organization process, where people organize themselves to influence certain pre-existing processes and participation as a form of empowerment where people seek to gain power and authority from participating.

In order to create an autonomous system of evaluating and monitoring the nature and context of participation, a network would have to attempt to systematically incorporate a few fundamental processes, such as; enabling an understanding of the dynamism of a network through an established criteria of monitoring the levels of participation of the members, creating an explicit checklist of qualifications of this participation, such as the contributions of the participants, the limits of commitment and the available resources that must be shared and distributed, acknowledging the importance of relationships as fundamental to the success of any network., building a capacity for facilitative and shared leadership, tracing the changes that occur when the advocacy and lobbying activities of individuals are linked and using these individuals as participants who have the power to influence policy and development at various levels.[33] Finally, the recognition that utilizing the combined faculties of the network would aid in the effectuation of further change is vital to sustaining an active participation in the network.[34] It is common for networks to stagnate simply because of the lack of clarity on what a network really is or what it entails. There are significant misconceptions as to the activities engaged in by the network, such as the idea that a network "works solely as a resource center, to provide information, material and papers, rather than as forums for two way exchanges of information and experiences," contribute to the misunderstanding regarding the participation requirements within a network.[35] To facilitate an active, participatory function of learning, a network needs to be more than a resource center that seeks to meet the needs of beneficiaries. While meeting these needs is essential, development projects tend to obfuscate the benefit/input relationship within a network, thus significantly depleting its dynamism quotient. [36]

One method of moving away from the needs based model is to create a tripartite functionary, as was created within a particular research study. [37] This involves A Contributions Assessment, A Weaver's Triangle for Networks and An identification of channels of participation.

Contributions Assessment is an analysis of what the participants within a network are willing to contribute. It enables the network to assess what resources it has access to and how those resources may be distributes amongst the participants, multiplied or exchanged. [38] This system is predicated on a premise of assessing what participants have to offer as opposed to what they need. It challenges the long held notion of requiring an evaluation to identify problems, to address which recommendations are made and in fact seeks to focus on the moments of excellence and enable a discussion on the factors that contributed to these moments. [39] It thus places a value on the best of "what is" as opposed to trying to find a plausible "what ought to be". This approach allows participants to recognize that they are in fact the real "resource Centre" of the network and are encouraged act accordingly.

A Contributions Assessment may be practically incorporated through a few steps. It must be focused on the contributions, after a discussion on who the contributors may be. The aims of the network must be clarified, along with a specification of the contributions required such as perhaps newsletters, a conference, policy analysis etc. The members of the network must be clear on what they would like to contribute to the network and how such contribution might be delivered. Finally, the secretariat must be able to ideate or innovate on how it can enable more contributions from the networks in a more effective manner. [40]

The Weaver's Triangle has been adapted to be applies within networks and enables participants to understand what the aims and activities of the network are. It identifies the overall aim of the network and the change the network seeks to bring about to the status quo. It then lays out the objectives of the network in the form of specific statements about the said differences that the network seeks to bring about. Finally, the network would have to explain why a particular activity has been chosen. [41] The base of the triangle reflects the specific activities that the network seeks to engage in to achieve the said objectives. The triangle is further divided into two, to ensure that action aims and process aims have equal weightage; this allows for the facilitation of an exchange and a connection between the members of the network. [42]

The Circles of Participation is an idea that has been put forth by the Latin American and Caribbean Women's Health Network. (LACWHN). [43] This Network has three differentiated categories of membership, which it uses to determine the degree of commitment of an organization to the network. R- refers to the members who receive the women's health journal, P refers to members who actively participate in events and campaigns and who are advisors for specific topics. PP refers to the permanent participants within the network at national and international levels. They also receive a journal. This categorization allows the network to make an assessment of the dynamism and growth of a network, with members moving through the categories depending on their levels of participation. [44]

An important space for contributions to the network is the newsletter. This can be facilitated by allowing contributions from various sources, provided they meet the established quality checks, ensuring a balance between regions of origin of the members of the network, ensuring a balance between the policy and program activities of the members and keeping the centralized editorial process to a minimum. This is in keeping with the ideal of a decentralized system of expression that allows each member to retain its individuality while still contributing to the aims of the network. The Women's Global Network on Reproductive Rights (WGNRR) sought to create a similar system of publication to measure the success of their linkages, the levels of empowerment amongst members, in terms of strategizing and enabling localized action and the allocation of space in a fair and equitable manner. [45] Another Network, Creative Exchange customizes its information flow within the network so that each member only receives the information it expresses interest in.[46] This prevents the overburdening of members with unnecessary information.

The activities of the network which don't directly pass through the secretariat or the coordinator of the network can be monitored efficiently by keeping I close contact with new entrants to the network and capturing the essence of the activities that occur on the fringes of the network. This would allow an assessment of the diversity of the network. For example, Creative exchange sends out short follow up emails to determine the number and nature of contacts that have been made subsequent to a particular item in the newsletter. The UK Conflict Development and Peace Network (CODEP) records the newest subscribers to the network after every issue of their newsletter and AB Colombia sends out weekly news summaries electronically which are available for free to recipients who provide details of their professional engagements and why or how they wish to use these summaries. [47] This enables the mapping of the type of recipients the information reaches.

E. Leadership and Coordination

Sarason and Lorentz postulate four distinguishing characteristics that capture the creativity and expertise required by individuals leading and coordinating networks.[48] Knowledge of the territory or a broad understanding of the type of members, the resources available and the needs of the members is extremely important to facilitate an ideal environment of mutual trust and open dialogue between the members. Scanning the network for fluidity and assessing openings, making connections and innovating solutions would enable an efficient leadership that would contribute to the overall dynamism of the network. In addition to this, perceiving strengths and building on assets of existing resources would allow the network to capitalize on its strengths. Finally, the coordinators of a network must be a resource to all members of the network and thus enable them to create better and more efficient systems. They must therefore exercise their personal influence over members wherever required for the overall benefit of the network. Practically, a beneficial leadership would also require an inventive approach by providing fresh and interesting solutions to immediate problems. A sense of clarity, transparency and accountability would also encourage members of the network to participate more and engage with each other. It is important for the leadership within a network to deliver on expectations, while building consensus amongst its members.

A shared objective, a collaborative setting and a constant review of strategies is important to maintain linkages within a network. Responsible relationships underpinned by values and supported by flows of relevant information would allow an effective and fruitful analysis by those who are engaged within a network to do the relevant work. In addition to this, a respect for the autonomy of the network is essential.

F. Inclusion

Public policy networks are more often than not saturated with the economic and social elite from across the developed world. A network across the Global South would have to change this norm and extend its ambit of membership to grass root organizations, which might not have otherwise had the resources or the opportunity to be a part of a network.[49] Networks can achieve their long term goals only if they are driven by the willingness to include organizations from across economic demographics. This would ensure that their output is the result of a collaborative process that takes into account cross cultural norms and differentials across economic demographics.

The participation of diverse actors is reflective of the policy making processing having given due regard to on the ground realities and being sensitive towards the concerns of differently placed interest groups. Networks have been accused of catering only to the needs of industrial countries and subscribing to values of the global north thus stunting local development and enforcing double standards. This tarnishes the legitimacy of the processes inculcated within the network itself. It is therefore all the more essential that a network focused on the global south have a diverse collection of members from across backgrounds and economic contexts. Additionally, the accountability of the network to civil society is dependent on the nature of the links it maintains with the public. Inclusion thus fosters a sense of legitimacy and accountability. The inclusion of local institutions from the beginning would also increase the chances of the solutions provided by the network, being effectively implemented. Local inclusion affords a sense of responsibility and ensures that the network would remain sustainable in the long run. Allowing local stakeholders to take ownership of the network and participate in the formulation of policies, engage in planning and facilitate participation would enable an efficient addressing of significant public policy issues. [50] Thus networks would need to create avenues for participation of local institutions and civil society to engage in a democratic form of decision making.

III. Evaluation

The process of evaluation of a network is most efficiently effectuated through a checklist that has been formulated within a research study for the purpose of evaluating its own network. [51]

This checklist enumerates the various elements that have to be taken into consideration while evaluating the success of a network, as follows;

FIG 1.[52]

V. Learning and Recommendations

In order to facilitate the optimum working of a network several factors need to be taken into consideration and certain specific processes have to be incorporated into the regular functioning of the network. These are for example,

• Ensuring that the evaluation of the network occurs at periodic intervals with the requisite level of attention to detail and efficiency to enable an in depth recalibration of the functions and processes of the network. To this effect, evaluation specialists must be engaged not just at times of crises or instability but as accompaniments to the various processes undertaken by the network. This would enable a holistic development of the network.
• It is also important to understand the underlying values that define the unique nature of the network. The coordination of the network, its functions and its activities are intrinsically linked to these values and recognition of this element of the network would enable a greater functionality in the overall operation of the network.
• A strong relationship between the members of the network, predicated on trust and open dialogue is essential for its efficient functioning. This would allow the accumulation of innovative ideas and dynamic thought to direct the future activities of the network.
• The Secretariat or coordinator of the network must be able to engage the member in monitoring and evaluating the progress of the network. One method of enabling this coordination is through the institution of 'participant observer' methods at international conferences or meetings, which allow the members of the network to report back on the work that they have, which is linked to the work of other members.
• The autonomy of a network and its decentralized mechanism of functioning are integral to retain the individuality of its members, who seek to pursue institutional objectives. The members seek to facilitate creative thinking and share ideas and this must be supported by financial resources. A strong bond of trust between the members of a network is therefore essential to enable long term commitments and the flourishing of interpersonal communication between members.
• It is important that the subject area of operation of the network be comprehensively defined before the network comes into existence.
• As seen with the experience of Canadian Knowledge Networks, it is beneficial to be selective in inviting participant to the network and following a rigorous process of review and selection would ensure that only the best candidates are selected so as to facilitate effective partnerships with other networks, as a result of demonstrable expertise within a particular field.
• The management of a network must be disciplined, with clearly demarcated project deadlines and an optimum level of transparency and accountability. At the helm of leadership of every successful network, there has been intelligent, decisive and facilitative exchange, which is essential in securing a durable and potentially expandable space for the network to operate in.

A. Canadian Perspectives

A study of Canadian experiences was conducted by examining The Centers of Excellence and the Networks of Centers of Excellence (NCEs), which were funded through three Federal Granting Councils.[53] An initial observation that was made through the course of this study was that each network is intrinsically different and there is no uniform description which would fit all of them. The objectives of the Networks of Centers of Excellence Program are broadly, as follows; to encourage fundamental and applied research in fields which are critical to the economic development of Canada, to encourage the development and retention of world class scientists and engineers specializing in essential technologies, to manage multidisciplinary, cross sectoral national research programs which integrate stakeholder priorities through established partnerships and finally, to accelerate the exchange of research results within networks by accelerating technology transfers, made to users for social and economic development. [54] Extensive interviews carried out in the course of the research conducted by the ARA Consulting Group Inc. drew up particularly relevant conclusions with respect to the NCEs.

Firstly, they have been able to produce significant "cultural shifts" among the researchers associated with the network. This is attributed to the network facilitating a collaborative effort amongst researchers as opposed to their previous working, which was largely in isolation. The benefits of this collaboration have been identified as providing innovative ideas and leading the research itself in unprecedented directions. This has the effect of equipping Canada with the capability to compete on a global level with respect to its research endeavors. The culture shift has also allowed researchers to be more aware of the problems that plague industry and has instigated more in depth research into the development of the industrial sector. Government initiatives that have attempted to cohesively apply academic research to industry have had limited success. The NCE's however have managed to successfully disintegrate the barriers between these two seemingly disparate fields. This has resulted in a faster and more effective system of knowledge dissemination resulting in durable and self-sustaining economic development, which takes place at a faster rate. The NCE's have also been able to contribute to healthcare, wellness and overall sustainable development through their cross sectoral research approach, a model that can be used worldwide.

Another tangible effect has been that the relationship between industry and academic research is evolving into a positive and collaborative exchange, as opposed to the previous state which was largely isolationist, bordering on confrontational.[55] A possible cause of this is the increased representation of companies in the establishment of networks resulting in them influencing the course of research. This has not been met with any resistance from academic researchers who are driven by the imperative of an open publication. [56] Besides influencing the style of management, industrial representation has also brought about an increase in the level of private sector financial contributions made to NCEs. It is believed that these NCEs may even be able to support themselves in the next 7-8 years through the funding they receive from the commercialization of their research.

A third benefit that has emerged is the faster rate of production of new knowledge and innovative thinking. This is the result of collaborative techniques which is made more efficient through the use of modern technology. The increasing number of multi authored cross institutional scholarly publications made available by the NCE is evidentiary of this trend. The rate and quantity of technology transfers has also increased exponentially as a result of this. Knowledge networks also facilitate the mobilization of human resources and address cross disciplinary problems, resulting in an efficient and synergistic solutions. Their low cost, fast pace approach has been instrumental in constructing an understanding of and capacity to engage in sustainable development.

The significant contributions to sustainable development include the Canadian Genetic Diseases Network, which has discovered two specific genes that cause early onset Alzheimer's disease. The Sustainable Forest Management Network has claimed that its research does have a considerable level of influence on the industrial approach to sustainability. The Canadian Bacterial Disease Network conducts research on bacterially caused diseases which are mostly prevalent in developing countries, with a view to produce antibiotics and vaccines that may be able to successfully combat these vaccines. TeleLearning, another such network is working on the creation of software environments which will form the basis of technology based education in the future. [57] The greatest advantage of these knowledge networks is that they have been able to surpass traditional disciplinary barriers and have emerged at the forefront of interdisciplinary articulation, which is emerging as the path to breakthroughs in the fields of applied sciences and technology in the future. The NCE's have also been able to provide diverse working environments for graduate students, where they have been able to work under scientists associated with different specializations and across different departments. They have also been able to interact with government and industry representatives, giving them a far greater exposure of the field and equipping them to avail of a wide range of employment opportunities.

The corporate style of management incorporated within the NCEs encourages a sense of discipline and an enthusiasm for innovation. The Board of Directors at NCE's take on a perfunctory role and function as a typical corporate board. Researchers are therefore required to provide regular reports and meet deadlines to achieve predetermined goals that have been agreed upon. The new paradigm of sustainable development and the fluid transfer of knowledge requires this structure of management, even within a previously strictly academically oriented environment. NCEs have been incorporated as non-profit corporation for largely legal reasons such as the ownership of intellectual property.

The participation to these networks is restricted and is open only through an invitation, in the form of a submission of project proposals under a particular theme, with the final selection being made subject to a rigorous process of evaluation. This encourages the participants of the network to embody a degree of discipline and carry out their activities in a constructive, time bound manner.

B. Perceived Challenges

These knowledge networks, although extremely beneficial in the long run, do have certain specific issues that need to be addressed. Firstly, most formal knowledge networks do not have a formalized communication strategy. While they do make use of various forms of telecommunication, this communication is is no way formally directed or specific. Although some networks have managed to set up a directed communications strategy, supplemented by the involvement of specifically communications based networks (such as CANARIE) , there is still a long way to go in this area.

As is evident with most academic endeavors in recent years, efficient and sustained development both in terms of economy as well as self-sustenance, requires a smooth transitioning to a close collaboration with the industry. Although the NCE's have made progress in this area, a lesson that can be learnt from this is that knowledge networks do require a collaborative arrangement between researchers, the industry and the financial sector. [58] The nature of this collaboration cannot be predicted before tangible research outputs are developed that reflect the relevance of academia in the industrial and financial sectors. A particular network, PENCE has mandated that the boards of directors include a representative of the financial sector. This is a step forward in opening the doors to greater collaboration and mutually assured growth and sustainable development in both academia as well as the industrial and financial sectors.

As with all knowledge networks there is a continuous need for expansion of the focus areas to cover more fields and instigate research in neglected areas. The largest number of networks has been in the fields of healthcare and health associated work. However there is an impending need for networks to be established in other fields as well, such as those related to environmental issues, social dynamics and the general quality of life. [59]

The Canadian experience has resulted in a nuanced understanding of specific actions that need to be taken to strengthen knowledge networks across the spectrum. Firstly, there is an impending need to build new knowledge networks, which would be required to strengthen institutions upon which the networks are based. These include universities and research institutions, which have been weakened both financially and academically over the past few years. The NCE Program, on the face of it, seems to be strengthening universities, by attracting funding for research endeavors that would otherwise not be available to them. While this may be true, it tends to obfuscate the true nature of a university as an intellectual community, by portraying it as a funding source for research and equipment.[60] The deteriorating role of the university in fostering research and laying the foundation of an intellectual community can be reversed by the competition posed by the NCEs which tend to threaten its stature in the fields of multi-disciplinary and graduate institution. Another aspect that needs to be considered is the role of knowledge networks in fostering sustainable development not only on a national or regional scale but on a global level. This can be effectuated by allowing the amalgamation of the academia and industry through ample representation, a model that has proven to be effective within the NCEs. This is all the more relevant today where multinational corporations hold considerable sway over the global economy, so much so that the role of governments in regulating this economy is gradually decreasing. Multilateral investment treaties and agreements are reflective of this.

The final issue is that of the long standing debate between public good and proprietary knowledge. Canadian knowledge networks are of the opinion that knowledge must be freely disseminated. However, certain networks including the NCEs grant the exclusive right of the development and application of this knowledge to specific industry affiliates. On one hand this facilitates further investment into the research, which creates better products, new jobs and further social development. This is predicated on a fine balance of allowing this development without widening the already disparate socio-economic gaps that exist between developed and developing countries. Thus the balance between public good and propriety knowledge must be effectively managed by the regulatory role discharged by the governments and the decision making faculties of these knowledge networks. [61]

Establishing international linkages across networks based within different regions across the world would also be an effective means of ensuring effective partnerships and the creation of a new, self-sustaining structure. This would bring new prospects of funding into sustainable development activities and engage industrial affiliates with international development activities.

C. Donor Perspectives

The International Development Research Centre, based in Canada has also been instrumental in the setting up of support structures for networks. The IDRC has remained consistent in its emphasis of networks as mechanisms of linking scientists engaged in similar problems across the globe instead of as mechanisms to fund research in countries. This has afforded the IDRC with a greater level of flexibility in responding to the needs of developing countries as well as responding to the financial pressures within Canada to deliver superior technical support with a reduction in overheads. The IDRC sees networking an indispensable aspect of scientific pursuit and technological adaptation in the most effective manner. It is currently supporting four specific types of networks; horizontal networks which link together institutions with similar areas of specialization, vertical networks which work on disparate aspects of the same problem of different but interrelated problems, information networks which provide a centralized form of information service to members, which enables them to exchange information in the manner necessary and finally training networks which provide supervisory services to independent participants within the network.[62]

(I) Internal Evaluations

There is an outstanding need to monitor visits that are undertaken by the coordinator or the specific representatives of the member or donor as applicable. This would expedite the process of identifying problems and aid in deriving tangible solutions in an efficient manner. The criteria for the assessment would vary depending on the goals of the organization. Donors may pose questions with respect to the cost effectiveness of a particular pattern of research and may seek a formal report regarding this aspect. A more extensive model of donor evaluations may even include assessments with respect to the monitoring and coordination of specific functions.

(II) External Evaluations

A system of external evaluation would be useful with assessing data with respect to the operations of programs and their objectives. This would engage newer participants by injecting newer ideas and insights into the management and scope of the network. The most extensive method of network evaluation was one that was postulated by Valverde [63] and reviewed by Faris [64]. It aimed to draw an analysis of particular constraints and specific elements that would influence the execution of network programs. This method identifies a list of threats, opportunities, strengths and weaknesses which would inform future recommendations. The Valverde method makes use of both formal as well as informal data which is varied depending on the type of network and the management structure it employs.[65]

(III) Financial Viability

A network almost always requires external resources to aid in the setting up and coordination of its activities. Donor agencies must recognize the long term commitment that is required in this respect. It is therefore essential that the period for which this funding will be made available be clarified at the outset, to leave agencies with ample time to plan for the possibility of cessation of external financial support. [66] As concluded from the findings of the research study, although most networks are offered external support, it is primarily technology transfer and information networks that have been able to generate the bulk of funding in this respect. They have been able to obtain this financial assistance from a variety of sources including participating organizations as well as governments. [67] The funding for purely research networks however are inconsistent and the networks would have to plan in advance for a possible cessation of financial support.[68]

(IV) Adaptability

From the perspective of donors, the degree of adaptability and level of responsiveness of a particular network is especially relevant in assessing the coordination, control and leadership of a particular network. A network that is plagued by ineffective leadership and the lack of coordination is unable to adapt to changing circumstances and meet the needs of its participants. A combination of collaborative effort, a localized approach and far-sighted leadership instills in the participants of the network a sense of comfort in its processes and in the donors a faith in its ability to address topical issues and remain relevant.

(V) The Exchange of Information

As noted by Akhtar, a network is created to respond to the growing need to improve channels of information exchange and communication. [69] Information needs to be tailored to suit its users and must be disseminated accordingly. The study conducted has concluded that information networks that are engaged in the transfer of technology are inefficient in disseminating internally derived information and recognizing the needs of their users.[70] Given that these networks are especially user oriented this systemic failure is extremely problematic. There is also a need to review the mechanism of transferring strategic research techniques and the approaches employed in dealing with developing countries. Special attention must be paid to the beneficiaries of a particular network so that the research conducted is directed towards that particular demographic. This is especially relevant for information networks, which from the evaluation; appear to be generating data but not considering who would be using these services.[71]

(VI) Capacity Building

Facilitating the training of individuals both on a formal and informal level has led to an enhance level of research and reporting, as well as the designing of projects. There is however a need to tailor this training to suit the needs of the participants of a particular network. Networks which have been able to provide inputs which are not ordinarily locally provided have instigated the establishment of national and regional institutions. [72]

(VII) Cost Effectiveness

It is important to note however that networks need to employ the most cost effective mechanism of delivering support services to national programs. A network must work in a manner that allows for enough individual enterprise but at the same time follows a collaborative model to generate more effective and relevant research within a short span of time and through the utilization of minimum resources. The Caribbean Technology Consultation Services (CTCS) for example was found to be far more cost effective and in fact 50% cheaper than the services of the United Nations Industrial Development Organization. [73] Similarly, the evaluators of the LAAN found that funding a network was significantly cheaper than finding individual research projects.[74]

The Centre for Internet and Society, Bangalore (CIS) is researching  the 100 Smart City Scheme from the perspective of Big Data and is seeking to understand the role of Big Data in smart cities in India as well as the impact of the generation and use of the same. CIS is also examining whether the current legal framework is adequate to deal with these new technologies. It was in this background that CIS attended a part of the workshop.

At the outset the organizers had noted that there will be no discussion on technology and its adoption in this particular workshop.. The format involved a speaker providing his/her viewpoint on the topic concerned and  the discussion revolved mainly around problems relating to traffic, parking, roads, drainage, etc. and there was no discussion of technology or how to utilise it to solve these problems. From the discussions CIS has had with certain people who are quite involved with these public consultations, the impression that we have is that the solutions to these problems were not very complicated and required only some intent and execution, and if that was achieved it would go a long way in improving the infrastructure of the city. This perspective raises the question of whether or not India needs 'Smart Cities' to improve the life of residents or if basic urban solutions are adequate and are in fact needed to lay the foundation for any potential smart city that might be established in the future.

It is quite interesting to see the difference in the levels at which the debate on smart cities is happening, in that when the central government talks about smart cities they try to highlight technology and other aspects such as smart meters, smart grids, etc. while the discussion on the ground in the actual cities is currently at a much more basic stage. For example the government website for the smart city project, while describing a smart city, mentions a number of “smart solutions” such as “electronic service delivery”, “smart meters” for water, “smart meters” for electricity, “smart parking”, Intelligent Traffic Management”, “Tele-medicine”, etc. Even in all the major public service announcements on the smart city project, the government effort seems to be to focus on these “smart solutions”, projecting technology as the answer to urban problems. However those in the cities themselves appear to be more concerned with adequate parking, adequate water supply, proper roads, waste disposal, etc. This difference in approach is only representative of the yawning gap between the mindspace of those who conceive these schemes and market them on the one hand and those who are tasked with implementing the schemes on the other hand as well as the realities of what cities in India need to address problems related to infrastructure and functioning. However the silver lining in this scenario, atleast on a personal level, is that the people on the ground, are not blindly turning to technology to solve their problems but actually trying to look for the best solutions regardless of whether it is a technology based solution or not.

Agenda

We from the Centre for Internet and Society wishes to express our dismay at the consistent way in which CCWG-Accountability has completely failed to take critical inputs from organizations like ours (and others, some instances of which have been highlighted in Richard Hill’s submission) into account, and has failed to even capture our concerns and misgivings about the process — as expressed in our submission to the CCWG-Accountability’s 2nd Draft Proposal on Work Stream 1 Recommendations — in any document prepared by the CCWG.  We cannot support the proposal in its current form.

Time for Comments

We believe firstly that the 21 day comment period itself was too short and is going to result effectively in many groups or categories of people from not being able to meaningfully participate in the process, which flies in the face of the values that ICANN claims to uphold. This extremely short period amounts to procedural unsoundness, and restrains educated discussion on the way forward, especially given that the draft has altered quite drastically in the aftermath to ICANN55.

Capture of ICANN and CCWG Process

The participation in the accountability-cross-community mailing list clearly shows that the process is dominated by developed countries (of the top 30 non-staff posters to the list, 26 were from the ‘WEOG’ UN grouping, with 14 being from the USA, with only 1 from Asia Pacific, 2 from Africa, and 1 from Latin America), by males (27 of the 30 non-staff posters), and by industry/commercial interests (17 of the top 30 non-staff posters).  If this isn’t “capture”, what is?  There is no stress test that overcomes this reality of capture of ICANN by Western industry interests.  The global community is only nominally multistakeholder, while actually being grossly under-representative of the developing nations, women and minority genders, and communities that are not business communities or technical communities.  For instance, of the 1010 ICANN-accredited registrars, 624 are from the United States, and 7 from the 54 countries of Africa.

Culling statistics from the accountability-cross-community mailing list, we find that of the top 30 posters (excluding ICANN staff):

• 57% were, as far as one could ascertain from public records, from a single country: the United States of America.
• 87% were, as far as one could ascertain from public records, participants from countries which are part of the WEOG UN grouping (which includes Western Europe, US, Canada, Israel, Australia, and New Zealand), which only has developed countries. None of those who participated substantively were from the EEC (Eastern European) group and only 1 was from Asia-Pacific and only 1 was from GRULAC (Latin American and Caribbean Group).
• 90% were male and 3 were female, as far as one could ascertain from public records.
• 57% were identifiable as primarily being from industry or the technical community, as far as one could ascertain from public records, with only 2 (7%) being readily identifiable as representing governments.

This lack of global multistakeholder representation greatly damages the credibility of the entire process, since it gains its legitimacy by claiming to represent the global multistakeholder Internet community.

Bogey of Governmental Capture

With respect to Stress Test 18, dealing with the GAC, the report proposes that the ICANN Bylaws, specifically Article XI, Section 2, be amended to create a provision where if two-thirds of the Board so votes, they can reject a full GAC consensus advice. This amendment is not connected to the fear of government capture or the fear that ICANN will become a government-led body; given that the advice given by the GAC is non-binding that is not a possibility. Given the state of affairs described in the submission made above, it is clear that for much of the world, their governments are the only way in which they can effectively engage within the ICANN ecosystem. Therefore, nullifying the effectiveness of GAC advice is harmful to the interests of fostering a multistakeholder ecosystem, and contributes to the strengthening of the kind of industry capture described above.

Jurisdiction

All discussions on the Sole Designator Model seem predicated on the unflinching certainty of ICANN’s jurisdiction continuing to remain in California, as the legal basis of that model is drawn from Californian corporate law.  To quote the draft report itself, in Annexe 12, it is stated that:

"Jurisdiction directly influences the way ICANN’s accountability processes are structured and operationalized. The fact that ICANN today operates under the legislation of the U.S. state of California grants the corporation certain rights and implies the existence of certain accountability mechanisms. It also imposes some limits with respect to the accountability mechanisms it can adopt. The topic of jurisdiction is, as a consequence, very relevant for the CCWG-Accountability. ICANN is a public benefit corporation incorporated in California and subject to California state laws, applicable U.S. federal laws and both state and federal court jurisdiction."

Jurisdiction has been placed within the mandate of WS2, to be dealt with post the transition.  However, there is no analysis in the 3rd Draft on how the Sole Designator Model would continue to be upheld if future Work Stream 2 discussions led to a consensus that there needed to be a shift in the jurisdiction of ICANN. In the event that ICANN shifts to, say, Delaware or Geneva, would there be a basis to the Sole Designator Model in the law?  Therefore this is an issue that needs to be addressed before this model is adopted, else there is a risk of either this model being rendered infructuous in the future, or this model foreclosing open debate and discussion in Work Stream 2.

Right of Inspection

We strongly support the incorporation of the rights of Inspection under this model as per Section 6333 of the California Corporations Code as a fundamental bylaw. As there is a severe gap between the claims that ICANN raises about its own transparency and the actual amount of transparency that it upholds, we opine that the right of inspection needs to be provided to each member of the ICANN community.

Timeline for WS2 Reforms

We support the CCWG’s commitment to the review of the DIDP Process, which they have committed to enhancing in WS2. Our research on this matter indicates that ICANN has in practice been able to deflect most requests for information. It regularly utilised its internal processes and discussions with stakeholders clauses, as well as clauses on protecting financial interests of third parties (over 50% of the total non-disclosure clauses ever invoked - see chart below) to do away with having to provide information on pertinent matters such as its compliance audits and reports of abuse to registrars. We believe that even if ICANN is a private entity legally, and not at the same level as a state, it nonetheless plays the role of regulating an enormous public good, namely the Internet. Therefore, there is a great onus on ICANN to be far more open about the information that they provide. Finally, it is extremely disturbing that they have extended full disclosure to only 12% of the requests that they receive. An astonishing 88% of the requests have been denied, partly or otherwise. See "Peering behind the veil of ICANN's DIDP (II)".

In the present format, there has been little analysis on the timeline of WS2; the report itself merely states that:

"The CCWG-Accountability expects to begin refining the scope of Work Stream 2 during the upcoming ICANN 55 Meeting in March 2016. It is intended that Work Stream 2 will be completed by the end of 2016."

Without further clarity and specification of the WS2 timeline, meaningful reform cannot be initiated. Therefore we urge the CCWG to come up with a clear timeline for transparency processes.

The article was published in the Wire on January 29, 2016. The original can be read here.

Ray Bradbury’s dystopian novel Fahrenheit 451 opens with the declaration, “It was a pleasure to burn.” The six unassuming words offer a glimpse into the mindset of the novel’s protagonist, ‘the fireman’ Guy Montag, who burns books. Montag occupies a world of totalitarian state control over the media where learning is suppressed and censorship prevails. The title alludes to the ‘temperature at which book paper catches fire and burns,’ an apt reference to the act of violence committed against citizens through the systematic destruction of literature. It is tempting to think about the novel solely as a story of censorship. It certainly is. But it is also a story about the value of intellectual freedom and the importance of information.

Published in 1953, Bradbury’s story predates home computers, the Internet, Twitter and Facebook, and yet it anticipates the evolution of these technologies as tools for censorship. When the state seeks to censor speech, they use the most effective and easiest mechanisms available. In Bradbury’s dystopian world, burning books did the trick; in today’s world, governments achieve this by blocking access to information online. The majority of the world’s Internet users encounter censorship even if the contours of control vary depending on the country’s policies and infrastructure.

Online censorship in India

In India, information access blockades have become commonplace and are increasingly enforced across the country for maintaining political stability, for economic reasons, in defence of national security or preserving social values. Last week, the Maharashtra Anti-terror Squad blocked 94 websites that were allegedly radicalising the youth to join the militant group ISIS. Memorably, in 2015 the NDA government’s ham-fisted attempts at enforcing a ban on online pornography resulted in widespread public outrage. Instead of revoking the ban, the government issued yet another vaguely worded and in many senses astonishing order. As reported by Medianama, the revised order delegates the responsibility of determining whether banned websites should remain unavailable to private intermediaries.

The state’s shifting reasons for blocking access to information is reflective of its tendentious attitude towards speech and expression. Free speech in India is messily contested and normally, the role of the judiciary acts as a check on the executive’s proclivity for banning. For instance, in 2010 the Supreme Court upheld the Maharashtra High Court’s decision to revoke the ban on the book on Shivaji by American author James Laine, which, according to the state government, contained material promoting social enmity. However, in the context of communications technology the traditional role of courts is increasingly being passed on to private intermediaries.

The delegation of authority is evident in the government notifying intermediaries to proactively filter content for ‘child pornography’ in the revised order issued to deal with websites blocked as result of its crackdown on pornography. Such screening and filtering requires intermediaries to make a determination on the legality of content in order to avoid direct liability. As international best practices such as the Manila Principles on Intermediary Liability point out, such screening is a slow process and costly and  intermediaries are incentivised to simply limit access to information.

Blocking procedures and secrecy

The constitutional validity of Section 69A of the Information Technology Act, 2008 which grants power to the executive to block access to information unchecked, and in secrecy was challenged in Shreya Singhal v. Union of India. Curiously, the Supreme Court upheld S69A reasoning that the provisions were narrowly-drawn with adequate safeguards and noted that any procedural inconsistencies may be challenged through writ petitions under Article 226 of the Constitution. Unfortunately as past instances of blocking under S69A reveal the provisions are littered with procedural deficiencies, amplified manifold by the authorities responsible for interpreting and implementing the orders.

Problematically, an opaque confidentiality criteria built into the blocking rules mandates secrecy in requests and recommendations for blocking and places written orders outside the purview of public scrutiny. As there are no comprehensive list of blocked websites or of the legal orders, the public has to rely on ISPs leaking orders, or media reports to understand the censorship regime in India. RTI applications requesting further information on the implementation of these safeguards have at best provided incomplete information.

Historically, the courts in India have held that Article 19(1)(a) of the Constitution of India is as much about the right to receive information as it is to disseminate, and when there is a chilling effect on speech, it also violates the right to receive information. Therefore, if a website is blocked citizens have a constitutional right to know the legal grounds on which access is being restricted. Just like the government announces and clarifies the grounds when banning a book, users have a right to know the grounds for restrictions on their speech online.

Unfortunately, under the present blocking regime in India there is no easy way for a service provider to comply with a blocking order while also notifying users that censorship has taken place. The ‘Blocking Rules’ require notice “person or intermediary” thus implying that notice may be sent to either the originator or the intermediary. Further, the confidentiality clause raises the presumption that nobody beyond the intermediaries ought to know about a block.

Naturally, intermediaries interested in self-preservation and avoiding conflict with the government become complicit in maintaining secrecy in blocking orders. As a result, it is often difficult to determine why content is inaccessible and users often mistake censorship for technical problem in accessing content. Consequently, pursuing legal recourse or trying to hold the government accountable for their censorious activity becomes a challenge. In failing to consider the constitutional merits of the confidentiality clause, the Supreme Court has shied away from addressing the over-broad reach of the executive.

Secrecy in removing or blocking access is a global problem that places limits on the transparency expected from ISPs. Across many jurisdictions intermediaries are legally prohibited from publicising filtering orders as well as information relating to content or service restrictions. For example in United Kingdom, ISPs are prohibited from revealing blocking orders related to terrorism and surveillance. In South Korea, the Korean Communications Standards Commission holds public meetings that are open to the public. However, the sheer volume of censorship (i.e. close to 10,000 URLs a month) makes it unwieldy for public oversight.

As the Manila Principles note, providing users with an explanation and reasons for placing restrictions on their speech and expression increases civic engagement. Transparency standards will empower citizens to demand that companies and governments they interact with are more accountable when it comes to content regulation. It is worth noting, for conduits as opposed to content hosts, it may not always be technically feasible for to provide a notice when content is unavailable due to filtering. A new standard helps improve transparency standards for network level intermediaries and for websites bound by confidentiality requirements. The recently introduced HTTP code for errors is a critical step forward in cataloguing censorship on the Internet.

A standardised code for censorship

On December 21, 2015, the Internet Engineering Standards Group (IESG) which is the organisation responsible for reviewing and updating the internet’s operating standards approved the publication of 451-’An HTTP Status Code to Report Legal Obstacles’. The code provides intermediaries a standardised way to notify users know when a website is unavailable following a legal order. Publishing the code allows intermediaries to be transparent about their compliance with court and executive orders across jurisdictions and is a huge step forward for capturing online censorship. HTTP code 451 was introduced by software engineer Tim Bray and the code’s name is an homage to Bradbury’s novel Fahrenheit 451.

Bray began developing the code after being inspired by a blog post by Terence Eden calling for a  censorship error code. The code’s official status comes after two years of discussions within the technical community and is a result of campaigning from transparency and civil society advocates who have been pushing for clearer labelling of internet censorship. Initially, the code received pushback from within the technical community for reasons enumerated by Mark Nottingham, Chair of the IETF HTTP Working Group in his blog. However, soon sites began using the code on an experimental and unsanctioned basis and faced with increasing demand for and feedback, the code was accepted.

The HTTP code 451 works as a machine-readable flag and has immense potential as a tool for organisations and users who want to quantify and understand censorship on the internet. Cataloguing online censorship is a challenging, time-consuming and expensive task. The HTTP code 451 circumvents confidentiality obligations built into blocking or licensing regimes and reduces the cost of accessing blocking orders.

The code creates a distinction between websites blocked following a court or an executive order, and when information is inaccessible due to technical errors. If implemented widely, Bray’s new code will help prevent confusion around blocked sites. The code addresses the issue of the ISP’s misleading and inaccurate usage of Error 403 ‘Forbidden’ (to indicate that the server can be reached and understood the request, but refuses to take any further action) or 404 ‘Not Found’ (to indicate that the requested resource could not be found but may be available again in the future).

Adoption of the new standard is optional, though at present there are no laws in India that prevent intermediaries doing so. Implementing a standardised machine-readable flag for censorship will go a long way in bolstering the accountability of ISPs that have in the past targeted an entire domain instead of the specified URL. Adoption of the standard by ISPs will also improve the understanding of the burden imposed on intermediaries for censoring and filtering content as presently, there is no clarity on what constitutes compliance.  Of course, censorious governments may prohibit the use of the code, for example by issuing an order that specifies not only that a page be blocked, but also precisely which HTTP return code should be used. Though such sanctions should be viewed as evidence of systematic rights violation and totalitarian regimes.

In India where access to software code repositories such as Github and Sourceforge are routinely restricted, the need for such code is obvious. The use of the code will improve confidence in blocking practices, allowing  users to understand the grounds on which their right to information is being restricted. Improving transparency around censorship is the only way to build trust between the government and its citizens about the laws and policies applicable to internet content.

Introduction

In 2008 Chris Anderson infamously proclaimed the 'end of theory'. Writing for Wired Magazine, Anderson predicted that the coming age of Big Data would create a 'deluge of data' so large that the scientific methods of hypothesis, sampling and testing would be rendered 'obsolete' [1]. For him and others, the hidden patterns and correlations revealed through Big Data analytics enable us to produce objective and actionable knowledge about complex phenomena not previously possible using traditional methodologies. As Anderson himself put it, 'there is now a better way. Petabytes allow us to say: "Correlation is enough." We can stop looking for models. We can analyze the data without hypotheses about what it might show. We can throw the numbers into the biggest computing clusters the world has ever seen and let statistical algorithms find patterns where science cannot' [2] .

In spite of harsh criticism of Anderson's article from across the academy, his uniquely (dis)utopian vision of the scientific utility of Big Data has since become increasingly mainstream with regular interventions from politicians and business leaders evangelising about Big Data's potentially revolutionary applications. Nowhere is this bout of data-philia more apparent than in India where the governments recently announced the launch of 'Digital India', a multi-million dollar project which aims to harness the power of public data to increase the efficiency and accessibility of public services [3]. In spite of the ambitious promises associated with Big Data however, many theorists remain sceptical about its practical benefits and express concern about its potential implications for conventional scientific epistemologies. For them the increased prominence of Big Data analytics in science does not signal a paradigmatic transition to a more enlightened data-driven age, but a hollowing out of the scientific method and an abandonment of casual knowledge in favour of shallow correlative analysis. In response, they emphasise the continued importance of theory and specialist knowledge to science, and warn against what they see as the uncritical adoption of Big Data in public policy-making [4]. In this article I will examine the challenges posed by Big Data technologies to established scientific epistemologies as well as the possible implications of these changes for public-policymaking. Beginning with an exploration of some of the ways in which Big Data is changing our understanding of scientific research and knowledge, I will argue that claims that Big Data represents a new paradigm of scientific inquiry are predicated upon a number of implicit assumptions about the nature of knowledge. Through a critic of these assumptions I will highlights some of the potential risks that an over-reliance on Big Data analytics poses for public policy-making, before finally making the case for a more nuanced approach to Big Data, which emphasises the continued importance of theory to scientific research.

Big Data: The Fourth Paradigm?

"Revolutions in science have often been preceded by revolutions in measurement".

In his book the Structure of Scientific Revolutions Kuhn describes scientific paradigms as 'universally recognized scientific achievements that, for a time, provide model problems and solutions for a community of researchers'[5]. Paradigms as such designate a field of intelligibility within a given discipline, defining what kinds of empirical phenomena are to be observed and scrutinized, the types of questions which can be asked of those phenomena, how those questions are to be structured as well as the theoretical frameworks within which the results can be analysed and interpreted. In short, they 'constitute an accepted way of interrogating the world and synthesizing knowledge common to a substantial proportion of researchers in a discipline at any one moment in time'[6]. Periodically however, Kuhn argues, that these paradigms can become destabilised by the development of new theories or the discovery of anomalies that cannot be explained through reference to the dominate paradigm. In such instances Kuhn claims, the scientific discipline is thrown into a period of 'crisis', during which new ideas and theories are proposed and tested, until a new paradigm is established and gains acceptance from the community.

More recently computer scientists Jim Gray, adopted and developed Kuhn's concept of the paradigm shift, charting history of science through the evolution of four broad paradigms, experimental science, theoretical science, computational science and exploratory science [7]. Unlike Kuhn however, who proposed that paradigm shifts occur as the result of anomalous empirical observations which scientists are unable to account for within the existing paradigm, Gray suggested that transitions in scientific practice are in fact primarily driven by advances and innovations in methods of data collection and analysis. The emergence of the experimental paradigm according to Gray can therefore be traced back to the ancient Greece and China when philosophers began to describe their empirical observations using natural rather an spiritual explanations. Likewise, the transition to the theoretical paradigm of science can be located in the 17^th Century during which time scientists began to build theories and models which made generalizations based upon their empirical observations. Thirdly, Gray identifies the emergence of a computational paradigm in the latter part of the 20^th Century in which advanced techniques of simulation and computational modelling were developed to help solve equations and explore fields of inquiry such as climate modelling which would have been impossible using experimental or theoretical methods. Finally, Gray proposed that we are today witnessing a transition to a 'fourth paradigm of science', which he termed the exploratory paradigm. Although also utilising advanced computational methods, unlike the previous computational paradigm which developed programs based upon established rules and theories, Gray suggested that within this new paradigm, scientists begin with the data itself; designing programs to mine enormous databases in the search for correlations and patterns; in effect using the data to discover the rules [8].

The implications of this shift are potentially significant for the nature of knowledge production, and are already beginning to be seen across a wide range of sectors. In the retail sector for example, data mining and algorithmic analysis are already being used to help predict items that a customers may wish to purchase based upon previous shopping habits[9]. Here, unlike with traditional research methodologies the analysis does not presuppose or hypothesise a relationship between items which it then attempts to prove through a process of experimentation, instead the relationships are identified inductively through the processing and reprocessing of vast quantities of data alone. By starting with the data itself, Big Data analysts circumvent the need for predictions or hypothesis about what one is likely to find, as Dyche observes 'mining Big Data reveals relationships and patterns that we didn't even know to look for'[10]. Similarly, by focussing primarily on the search for correlations and patterns as opposed to causation Big Data analysts also reject the need interpretive theory to frame the results instead researchers claim the outcomes are inherently meaningful and interpretable by anyone without the need for domain specific or contextual knowledge. For example, Joh observes how Big Data is being used in policing and law enforcement to help make better decisions about the allocation of police resources. By looking for patterns in the crime data they are able to make accurate predictions about the localities and times in which crimes are most likely to occur and dispatch their officers accordingly[11]. Such analysis according to Big Data proponents requires no knowledge of the cause of the crime, nor the social or cultural context within which it is being perpetrated, instead predictions and assessments are made purely on the basis of patterns and correlations identified within the historical data by statistical modelling.

In summary then, Gray's exploratory paradigm represents a radical inversion of the deductive scientific method, allowing researchers to derive insights directly from the data itself without the use of hypothesis or theory. Thus it is claimed, by enabling the collection and analysis of datasets of unprecedented scale and variety Big Data allows analysts to 'let the data speak for itself'[12], providing exhaustive coverage of social phenomena, and revealing correlations that are inherently meaningful and interpretable by anyone without the need for specialised subject knowledge or theoretical frameworks.

For Gray and others this new paradigm is made possible only by the recent exponential increase in the generation and collection of data as well as the emergence of new forms of data science, known collectively as "Big Data". For them the 'deluge of data' produced by the increase in the number of internet enabled devices as well as the nascent development of the internet of things, presents scientists and researchers with unprecedented opportunities to utilise data in new and innovative way to develop new insights across a wide range of sectors, many of which would have been unimaginable even 10 years ago. Furthermore, advances in computational and statistical methods as well as innovations in data visualization and methods of linking datasets, mean that scientist can now utilise the data available to its full potential or as professor Gary King quipped ' Big Data is nothing compared to a big algorithm'[13].

These developments in statistical and computational analysis combined with the velocity variety and quantity of data available to analysts have therefore allowed scientists to pursue new types of research, generating new forms of knowledge and facilitating a radical shift in how we think about "science" itself. As Boyd and Crawford note, ' Big Data [creates] a profound change at the levels of epistemology and ethics. Big Data reframes key questions about the constitution of knowledge, the processes of research, how we should engage with information, and the nature and the categorization of reality . . . [and] stakes out new terrains of objects, methods of knowing, and definitions of social life '[14]. For many these changes in the nature of knowledge production provide opportunities to improve decision-making, increase efficiency, encourage innovation across a broad range of sectors from healthcare and policing to transport to international development[15]. For others however, many of the claims of Big Data are premised upon some questionable methodological and epistemological assumptions, some of which threat to impoverish the scientific method and undermine scientific rigour [16].

Assumptions of Big Data

Given its bold claims the allure of Big Data in both the public and privates sectors is perhaps understandable. However despite the radical and rapid changes to research practice and methodology, there has nevertheless seemingly been a lack of reflexive and critical reflection concerning the epistemological implications of the research practices used in Big Data analytics. And yet implicit within this vision of the future of scientific inquiry lie a number of important and arguably problematic epistemological and ontological assumptions, most notably;

- Big Data can provide comprehensive coverage of phenomenon, capturing all relevant information.

- Big Data does not require hypothesis, a priori theory, or models to direct the data collection or research questions.

- Big Data analytics do not require theoretical framing in order to be interpretable. The data is inherently meaningful transcending domain specific knowledge and can be understood be anyone.

- Correlative knowledge is sufficient to make accurate predictions and guide policy decisions.

For many, these assumptions are highly problematic and call into question the claims that Big Data makes about itself. I will now look at each one in turn before proposing there possible implications for Big Data in Policy-making.

Firstly, whilst Big Data may appear to be exhaustive in its scope, it can only be considered to be so in the context of the particular ontological and methodological framework chosen by the researcher. No data set however large can scrutinize all information relevant to a given phenomenon. Indeed, even if it were somehow possible to capture all relevant quantifiable data within a specific domain, Big Data analytics would still be unable to fully account for the multifarious variables which are unquantifiable or undatafiable. As such Big Data does not provide an omnipresent 'gods-eye view', instead much like any other scientific sample it must be seen to provide the researcher with a singular and limited perspective from which he or she can observe a phenomenon and draw conclusions. It is important to recognise that this vantage point provides only one of many possible perspectives, and is shaped by the technologies and tools used to collect the data, as well as the ontological assumptions of the researchers. Furthermore, as with any other scientific sample, it is also subject to sampling bias and is dependent upon the researcher to make subjective judgements about which variables are relevant to the phenomena being studied and which can be safely ignored.

Secondly, claims by Big Data analysts to be able to generate insights directly from the data, signals a worrying divergence from deductive scientific methods which have been hegemonic within the natural sciences for centuries. For Big Data enthusiasts such as Prensky, 'scientists no longer have to make educated guesses, construct hypotheses and models, and test them with data-based experiments and examples. Instead, they can mine the complete set of data for patterns that reveal effects, producing scientific conclusions without further experimentation '[17]. Whereas, deductive reasoning begins with general statements or hypotheses and then proceeds to observe relevant data equipped with certain assumptions about what should be observed if the theory is to be proven valid; inductive reasoning conversely begins with empirical observations of specific examples from which it attempts to draw general conclusions. The more data collected the greater the probability that the general conclusions generated will be accurate, however regardless of the quantity of observations no amount of data can ever conclusively prove causality between two variables, since it is always possible that my conclusions may in future be falsified by an anomalous observation. For example, a researcher who had only ever observed the existence of white swans may reasonably draw the conclusion that 'all swans are white', whilst they would be justified in making such a claim, it would nevertheless be comprehensively disproven the day a black swan was discovered. This is what David Hume called the 'problem of induction'[18] and strikes at the foundation of Big Data claims to be able to provide explanatory and predictive analysis of complex phenomena, since any projections made are reliant upon the 'principle of uniformity of nature', that is the assumption that a sequence of events will always occur as it has in the past. As a result, although Big Data may be well suited to providing detailed descriptive accounts of social phenomena, without theoretical grounding it nevertheless remains unable to prove casual links between variables and therefore is limited in its ability to provide robust explanatory conclusions or give accurate predictions about future events.

Finally, just as Big Data enthusiasts claim that theory or hypotheses are not needed to guide data collection, so too they insist human interpretation or framing is no longer required for the processing and analysis of the data. Within this new paradigm therefore, 'the data speaks for itself' [19], and specialised knowledge is not needed to interpret the results which are now supposedly rendered comprehensible to anyone with even a rudimentary grasp of statistics. Furthermore, the results we are told are inherently meaningful, transcending culture, history or social context and providing pure objective facts uninhibited by philosophical or ideological commitments.

Initially inherited from the natural sciences, this radical form of empiricism thus presupposes the existence of an objective social reality occupied by static and immutable entities whose properties are directly determinable through empirical investigation. In this way, Big Data reduces the role of social science to the perfunctory calculation and analysis of the mechanical processes of pre-formed subjects, in much the same way as one might calculate the movement of the planets or the interaction of balls on a billiard table. Whilst proponents of Big Data claim that such an approach allows them to produce objective knowledge, by cleansing the data of any kind of philosophical or ideological commitment, it nevertheless has the effect of restricting both the scope and character of social scientific inquiry; projecting onto the field of social research meta-theoretical commitments that have long been implicit in the positivist method, whilst marginalising those projects which do not meet the required levels of scientificity or erudition.

This commitment to an empiricist epistemology and methodological monism is particularly problematic in the context of studies of human behaviour, where actions cannot be calculated and anticipated using quantifiable data alone. In such instances, a certain degree of qualitative analysis of social, historical and cultural variables may be required in order to make the data meaningful by embedding it within a broader body of knowledge. The abstract and intangible nature of these variables requires a great deal of expert knowledge and interpretive skill to comprehend. It is therefore vital that the knowledge of domain specific experts is properly utilized to help 'evaluate the inputs, guide the process, and evaluate the end products within the context of value and validity'[20].

Despite these criticisms however, Big Data is perhaps unsurprisingly increasingly becoming popular within the business community, lured by the promise of cheap and actionable scientific knowledge, capable of making their operations more efficient reducing overheads and producing better more competitive services. Perhaps most alarming from the perspective of Big Data's epistemological and methodological implications however, is the increasingly prominent role Big Data is playing in public policy-making. As I will now demonstrate, whilst Big Data can offer useful inputs into public policy-making processes, the methodological assumptions implicit within Big Data methodologies problems pose a number of risks to the effectiveness as well as the democratic legitimacy of public policy-making. Following an examination of these risks I will argue for a more reflexive and critical approach to Big Data in the public sector.

Big Data and Policy-Making: Opportunities and Risks

In recent year Big Data has begun to play an increasingly important role in public policy-making. Across the global, government funded projects designed to harvest and utilise vast quantities of public data are being developed to help improve the efficiency and performance of public services as well as better inform policy-making processes. At first glance, Big Data would appear to be the holy-grail for policy-makers - enabling truly evidence-based policy-making, based upon pure and objective facts, undistorted by political ideology or expedience. Furthermore, in an era of government debt and diminishing budgets, Big Data promises not only to produce more effective policy, but also to deliver on the seemingly impossible task of doing more with less, improving public services whilst simultaneously reducing expenditure.

In the Indian context, the government's recently announced 'Digital India' project promises to harness the power of public data to help modernise Indian's digital infrastructure and increase access to public services. The use of Big Data is seen as being central to the project's success, however, despite the commendable aspirations of Digital India, many commentators remain sceptical about the extent to which Big Data can truly deliver on its promises of better more efficient public services, whilst others have warned of the risk to public policy of an uncritical and hasty adoption of Big Data analytics [21]. Here I argue that the epistemological and methodological assumptions which are implicit within the discourse around Big Data threaten to undermine the goal of evidence based policy-making, and in the process widen already substantial digital divides.

It has long been recognised that science and politics are deeply entwined. For many social scientists the results of social research can be never entirely neutral, but are conditioned by the particular perspective of the researcher. As Shelia Jasanoff observed, 'Most thoughtful advisers have rejected the facile notion that giving scientific advice is simply a matter of speaking truth to power. It is well recognized that in thorny areas of public policy, where certain knowledge is difficult to come by, science advisers can offer at best educated guesses and reasoned judgments, not unvarnished truth' [22]. Nevertheless, 'unvarnished truth' is precisely what Big Data enthusiasts claim to be able to provide. For them the capacity of Big Data to derive results and insights directly from the data without any need for human framing, allows policy-makers to incorporate scientific knowledge directly into their decision-making processes without worrying about the 'philosophical baggage' usually associated with social scientific research.

However, in order to be meaningful, all data requires a certain level of interpretative framing. As such far from cleansing science of politics, Big Data simply acts to shift responsibility for the interpretation and contextualisation of results away from domain experts - who possess the requisite knowledge to make informed judgements regarding the significance of correlations - to bureaucrats and policy-makers, who are more susceptible to emphasise those results and correlations which support their own political agenda. Thus whilst the discourse around Big Data may promote the notion of evidence based policy-making, in reality the vast quantities of correlations generated by Big Data analytics act simply to broaden the range of 'evidence' from which politician can chose to support their arguments; giving new meaning to Mark Twain's witticism that there are 'lies, damn lies, and statistics'.

Similarly, for many an over-reliance on Big Data analytics for policy-making, risks leading to public policy which is blind to the unquantifiable and intangible. As already discussed above, Big Data's neglect of theory and contextual knowledge in favour of strict empiricism marginalises qualitative studies which emphasise the importance of traditional social scientific categories such as race, gender, and religion, in favour of a purely quantitative analysis of relational data. For many however consideration of issues such as gender, race, and religious sensitivity can be just as important to good public policy-making as quantitative data; helping to contextualise the insights revealed in the data and provide more explanatory accounts of social relations. They warn that neglect of such considerations as part of policy-making processes can have significant implications for the quality of the policies produced[23]. Firstly, although Big Data can provide unrivalled accounts of "what" people do, without a broader understanding of the social context in which they act, it fundamentally fails to deliver robust explanations of "why" people do it. This problem is especially acute in the case of public policy-making since without any indication of the motivations of individuals, policy-makers can have no basis upon which to intervene to incentivise more positive outcomes. Secondly, whilst Big Data analytics can help decision-makers to design more cost-effective policy, by for example ensuring better use of scarce resources; efficiency and cost-effectiveness are not the only metrics by which good policy can be judged. Public policy regardless of the sector must consider and balance a broad range of issues during the policy process including matters such as race, gender issues and community relations. Normative and qualitative considerations of this kind are not subject to a simplistic 1-0 quantification but instead require a great deal of contextual knowledge and insight to navigate successfully

Finally, to the extent that policy-makers are today attempting to harvest and utilise individual citizens personal data as direct inputs for the policy-making process, Big Data driven policy can in a very narrow sense be considered to offer a rudimentary form of direct democracy. At first glance this would appear to help to democratise political participation allowing public services to become automatically optimised to better meet the needs and preferences of citizens without the need for direct political participation. In societies such as India however, where there exist high levels of inequality in access to information and communication technologies, there remain large discrepancies in the quantities of data produced by individuals. In a Big Data world in which every byte of data is collected, analysed and interpreted in order to make important decisions about public services therefore, those who produce the greatest amounts of data, are better placed to have their voices heard the loudest, whilst those who lack access to the means to produce data risk becoming disenfranchised, as policy-making processes become configured to accommodate the needs and interests of a privilege minority. Similarly, using user generated data as the basis for policy decisions also leaves systems vulnerable to coercive manipulation. That is, once it has become apparent that a system has been automated on the basis of user inputs, groups or individuals may change their behaviour in order to achieve a certain outcome. Given these problems it is essential that in seeking to utilise new data resources for policy-making, we avoid an uncritical adoption of Big Data techniques, and instead as I argue below encourage a more balanced and nuanced approach to Big Data.

Data-Driven Science: A more Nuanced Approach?

Although an uncritical embrace of Big Data analytics is clearly problematic, it is not immediately obvious that a stubborn commitment to traditional knowledge-driven deductive methodologies would necessarily be preferable. Whilst deductive methods have formed the basis of scientific inquiry for centuries, the particular utility of this approach is largely derived from its ability to produce accurate and reliable results in situations where the quantities of data available are limited. In an era of ubiquitous data collection however, an unwillingness to embrace new methodologies and forms of analysis which maximise the potential value of the volumes of data available would seem unwise.

For Kitchen and others however, it is possible to reap the benefits of Big Data without comprising scientific rigour or the pursuit of casual explanations. Challenging the 'either or' propositions which favour either scientific modelling and hypothesis or data correlations, Kitchen instead proposes a hybrid approach which utilises the combined advantages of inductive, deductive and so-called 'abductive' reasoning, to develop theories and hypotheses directly from the data[24]. As Patrick W. Gross, commented 'In practice, the theory and the data reinforce each other. It's not a question of data correlations versus theory. The use of data for correlations allows one to test theories and refine them' [25].

Like the radical empiricism of Big Data, 'data-driven science' as Kitchen terms it, introduces an aspect of inductivism into the research design, seeking to develop hypotheses and insights 'born from the data' rather than 'born from theory'. Unlike the empiricist approach however, the identification of patterns and correlations is not considered the ultimate goal of the research process. Instead these correlations simply form the basis for new types of hypotheses generation, before more traditional deductive testing is used to assess the validity of the results. Put simply therefore, rather than interpreting data deluge as the 'end of theory', data-driven science instead attempts to harness its insights to develop new theories using alternative data-intensive methods of theory generation.

Furthermore unlike new empiricism, data is not collected indiscriminately from every available source in the hope that sheer size of the dataset will unveil some hidden pattern or insight. Instead, in keeping with more conventional scientific methods, various sampling techniques are utilised, 'underpinned by theoretical and practical knowledge and experience as to whether technologies and their configurations will capture or produce appropriate and useful research material'[26]. Similarly analysis of the data once collected does not take place within a theoretical vacuum, nor are all relationships deemed to be inherently meaningful; instead existing theoretical frameworks and domain specific knowledge are used to help contextualise and refine the results, identifying those patterns that can be dismissed as well as those that require closer attention.

Thus for many, data-driven science provides a more nuanced approach to Big Data allowing researchers to harness the power of new source of data, whilst also maintaining the pursuit of explanatory knowledge. In doing so, it can help to avoid the risks of uncritical adoption of Big Data analytics for policy-making providing new insights but also retaining the 'regulating force of philosophy'.

Conclusion

Since the publication of the Structure of Scientific Revolutions, Kuhn's notion of the paradigm has been widely criticised for producing a homogenous and overly smooth account of scientific progress, which ignores the clunky and often accidental nature of scientific discovery and innovation. Indeed the notion of the 'paradigm shift' is in many ways in typical of a self-indulgent and somewhat egotistical tendency amongst many historians and theorists to interpret events contemporaneous to themselves as in some way of great historical significance. Historians throughout the ages have always perceived themselves as living through periods of great upheaval and transition. In actual fact as has been noted by many, history and the history of science in particular rarely advances in a linear or predictable way, nor can progress when it does occur be so easily attributed to specific technological innovations or theoretical developments. As such we should remain very sceptical of the claims that Big Data represents a historic and paradigmatic shift in scientific practice. Such claims exhibit more than a hint of technological determinism and often ignore the substantial limitations to Big Data analytics. In contrast to these claims, it is important to note that technological advances alone do not drive scientific revolutions; the impact of Big Data will ultimately depend on how we decide to use it as well as the types of questions we ask of it.

Big Data holds the potential to augment and support existing scientific practices, creating new insights and helping to better inform public policy-making processes. However, contrary to the hyperbole surrounding its development, Big Data does not represent a sliver-bullet for intractable social problems and if adopted uncritically and without consideration of its consequences, Big Data risks not only to diminishing scientific knowledge but also jeopardising our privacy and creating new digital divides. It is critical therefore that we see through the hyperbole and headlines to reflect critically on the epistemological consequences of Big Data as well as its implications for policy making, a task unfortunately which in spite of the pace of technological change is only just beginning.

Bibliography

Anderson C (2008) The end of theory: The data deluge makes the scientific method obsolete. Wired, 23 June 2008. Available at: http://www.wired.com/science/discoveries/magazine/16-07/pb_theory (accessed 31 October 2015).

Bollier D (2010) The Promise and Peril of Big Data. The Aspen Institute. Available at: http://www.aspeninstitute.org/sites/default/files/content/docs/pubs/The_Promise_and_Peril_of_Big_Data.pdf (accessed 19 October 2015).

Bowker, G., (2013) The Theory-Data Thing, International Journal of Communication 8 (2043), 1795-1799

Boyd D and Crawford K (2012) Critical questions for big data. Information, Communication and Society 15(5): 662-679.

Cukier K (2010) Data, data everywhere. The Economist, 25 February (accessed 5 November 2015).

Department of Electronics and Information Technology (2015) Digital India, [ONLINE] Available at: http://www.digitalindia.gov.in/. [Accessed 13 December 15].

Dyche J (2012) Big data 'Eurekas!' don't just happen, Harvard Business Review Blog. 20 November. Available at: http://blogs.hbr.org/cs/2012/11/eureka_doesnt_just_ happen.html

Hey, T., Tansley, S., and Tolle, K (eds)., (2009) The Fourth Paradigm: Data-Intensive Scientific Discovery, Redmond: Microsoft Research, pp. xvii-xxxi.

Hilbert, M. Big Data for Development: From Information- to Knowledge Societies (2013). Available at SSRN: http://ssrn.com/abstract=2205145

Hume, D., (1748), Philosophical Essays Concerning Human Understanding (1 ed.). London: A. Millar.

Jasanoff, S., (2013) Watching the Watchers: Lessons from the Science of Science Advice, Guardian 8 April 2013, available at: http://www.theguardian.com/science/political-science/2013/apr/08/lessons-science-advice

Joh. E, 'Policing by Numbers: Big Data and the Fourth Amendment', Washington Law Review, Vol. 85: 35, (2014) https://digital.law.washington.edu/dspacelaw/bitstream/handle/1773.1/1319/89WLR0035.pdf?sequence=1;

Kitchen, R (2014) Big Data, new epistemologies and paradigm shifts, Big Data & Society, April-June 2014: 1-12

Kuhn T (1962) The Structure of Scientific Revolutions. Chicago: University of Chicago Press.

Mayer-Schonberger V and Cukier K (2013) Big Data: A Revolution that Will Change How We Live, Work and Think. London: John Murray

McCue, C., Data Mining and Predictive Analysis: Intelligence Gathering and Crime Analysis, Butterworth-Heinemann, (2014)

Morris, D. Big data could improve supply chain efficiency-if companies would let it, Fortune, August 5 2015, http://fortune.com/2015/08/05/big-data-supply-chain/

Prensky M (2009) H. sapiens digital: From digital immigrants and digital natives to digital wisdom. Innovate 5(3), Available at: http://www.innovateonline.info/index.php?view¼article&id¼705

Raghupathi, W., & Raghupathi, V. Big data analytics in healthcare: promise and potential. Health Information Science and Systems, (2014)

Shaw, J., (2014) Why Big Data is a Big Deal, Harvard Magazine March-April 2014, available at: http://harvardmagazine.com/2014/03/why-big-data-is-a-big-deal

The article was published in First Post on February 9, 2016. It can be read here.

Even the regulations it cites in the Explanatory Memorandum don’t go as far as it does. The Dutch regulation will have to be reformulated in light of the new EU regulations and the Chilean regulator has opened the discussion on an additional non-profit exception by allowing Wikipedia to zero-rate its content in partnership with telecom operators.

Bravo to Nikhil Pahwa, Apar Gupta, Raman Chima, Kiran Jonnalagadda and the thousands of volunteers at Save The Internet and associated NGOs, movements, entrepreneurs and activists who mobilized millions of Indians to stand up and petition TRAI to preserve some of the foundational underpinnings of the Internet. And finally bravo to Facebook for having completely undermined any claim to responsible stewardship of our information society through their relentless, shrill and manipulative campaign filled with the staggeringly preposterous lies. Having completely lost the trust of the Indian public and policy-makers, Facebook only has itself to blame for polarizing what was quite a nuanced debate in India through its hyperbole and setting the stage for this firm action by TRAI.

And most importantly bravo to RS Sharma and his team at TRAI for several reasons for the notification of “Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016” aka differential pricing regulations. The regulation exemplifies six regulatory best practices that I briefly explore below.

Transparency and Agility: Two months from start to finish, what an amazing turn around! TRAI was faced with unprecedented public outcry and also comments and counter-comments. Despite visible and invisible pressures, from the initial temporary ban on Free Basics to RS Sharma’s calm, collected and clear interactions with different stakeholders resulted in him regaining the credibility which was lost during the publication of the earlier consultation paper on Regulatory Framework for Over-the-top (OTTs) services. Despite being completely snowed over electronically by what Rohin Dharmakumar dubbed as Facebook’s DDOS attack, he gave Facebook one last opportunity to do the right thing which they of course spectacularly blew.

Brevity and Clarity: The regulation fits onto three A4-sized pages and is a joy to read. Clarity is often a result of brevity but is not necessarily always the case. At the core of this regulation is a single sentence which prohibits discriminatory tariffs on the basis of content unless it is a “data service over closed electronic communications network”. And unlike many other laws and regulations, this regulation has only one exemption for offering or charging of discriminatory tariffs and that is for “emergency services” or during “grave public emergency”. Even the best lawyers will find it difficult to drive trucks through that one. Even if imaginative engineers architect a technical circumvention, TRAI says “if such a closed network is used for the purpose of evading these regulations, the prohibition will nonetheless apply”. Again clear signal that the spirit is more important than the letter of the regulation when it comes to enforcement.

Certainty and Equity: Referencing the noted scholar Barbara Van Schewick, TRAI explains that a case-by-case approach based on principles [standards] or rules would “fail to provide much needed certainty to industry participants…..service providers may refrain from deploying network technology” and perversely “lead to further uncertainty as service providers undergoing [the] investigation would logically try to differentiate their case from earlier precedents”. Our submission from the Centre for Internet and Society had called for more exemptions but TRAI went with a much cleaner solution as it did not want to provide “a relative advantage to well-financed actors and will tilt the playing field against those who do not have the resources to pursue regulatory or legal actions”.

What next? Hopefully the telecom operators and Facebook will have the grace to abide with the regulation without launching a legal challenge. And hopefully TRAI will issue equally clear regulations on throttling and blocking to conclude the “Regulatory Framework for Over-the-top Services” consultation process. Critically, TRAI must forbear from introducing any additional regulatory burdens on OTTs, a.k.a Internet companies based on unfounded allegations of regulatory arbitrage. There are some legitimate concerns around issues like taxation and liability but that has to be addressed by other arms of the government. To address the digital divide, there are other issues outside net neutrality such as shared spectrum, unlicensed spectrum and shared backhaul infrastructure that TRAI must also prioritize for regulation and deregulation.

Without doubt other regulators from the global south will be inspired by India’s example and will hopefully take firm steps to prevent the rise of additional and unnecessary gatekeepers and gatekeeping practices on the Internet. The democratic potential of the Internet must be preserved through enlightened and appropriate regulation informed by principles and evidence.

The writer is Executive Director, Centre for Internet and Society, Bengaluru. He says CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world).

1. International Organisation for Standardization: ISO/IEC JTC 1 Working group on Big Data (WG 9 )

● Background

- The International Organization for Standardization /International Electrotechnical Commission (ISO/IEC) Joint Technical Committee (JTC) 1, Information Technology announced the creation of a Working Group (WG) focused on standardization in connection with big data.

- JTC 1 is the standards development environment where experts come together to develop worldwide standards on Information and Communication Technology (ICT) for integrating diverse and complex ICT technologies.^[1]

- The American National Standards Institute (ANSI) holds the secretariat to JTC 1 and the ANSI-accredited U.S. Technical Advisory Group (TAG) Administrator to JTC 1 is theInterNational Committee for Information Technology Standards (INCITS) ^[2], an ANSI member and accredited standards developer (ASD). InterNational Committee for Information Technology standards (INCITS) is a technical committee on Big Data to serve as the US Technical Advisory Group (TAG) to JTC 1/WG 9 on Big Data/ pending approval of a New Work Item Proposal (NWIP). The INCITS/Big Data will address standardization in the areas assigned to JTC 1/WG 9. ^[3]

- Under U.S. leadership, WG 9 on Big Data will serve as the focus of JTC 1's big data standardization program.

● Objective

- To identify standardization gaps.

- Develop foundational standards for Big Data.

- Develop and maintain liaisons with all relevant JTC 1 entities

- Grow the awareness of and encourage engagement in JTC 1 Big Data standardization efforts within JTC 1. ^[4]

● Status

- JTC 1 appoints Mr. Wo Chang to serve as Convenor of the JTC 1 Working Group on Big Data.

- The WG has set up a Study Group on Big Data.

2. International Organisation for Standardization: ISO/IEC JTC 1 Study group on Big Data

● Background

- The ISO/IEC JTC1 Study Group on Big Data (JTC1 SGBD) was created by Resolution 27 at the November, 2013 JTC1 Plenary at the request of the USA and other national bodies for consideration of Big Data activities across all of JTC 1.

- A Study Group (SG) is an ISO mechanism by which the convener of a Working Group (WG) under a sub-committee appoints a smaller group of experts to do focused work in a specific area to identify a clear group to focus attention on a major area and expand the manpower of the committee.

- The goal of an SG is to create a proposal suitable for consideration by the whole WG, and it is the WG that will then decide whether and how to progress the work.^[5]

● Objective

JTC 1 establishes a Study Group on Big Data for consideration of Big Data

activities across all of JTC 1 with the following objectives:

- Mapping the existing landscape: Map existing ICT landscape for key technologies and relevant standards /models/studies /use cases and scenarios for Big Data from JTC 1, ISO, IEC and other standards setting organizations,

- Identify key terms : Identify key terms and definitions commonly used in the area of Big Data,

- Assess status of big data standardization : Assess the current status of Big Data standardization market requirements, identify standards gaps, and propose standardization priorities to serve as a basis for future JTC 1 work, and

- Provide a report with recommendations and other potential deliverables to the 2014 JTC 1 Plenary. ^[6]

● Current Status

- The study group released a preliminary report in the year 2014, which can be accessed here : http://www.iso.org/iso/big_data_report-jtc1.pdf.

3. The National Institute of Standards and Technology Big Data Interoperability Framework :

● Background

- NIST is leading the development of a Big Data Technology Roadmap which aims to define and prioritize requirements for interoperability, portability, reusability, and extensibility for big data analytic techniques and technology infrastructure to support secure and effective adoption of Big Data.

- To help develop the ideas in the Big Data Technology Roadmap, NIST is creating the Public Working Group for Big Data which Released Seven Volumes of Big Data Interoperability Framework on September 16, 2015.^[7]

● Objective

- To advance progress in Big Data, the NIST Big Data Public Working Group (NBD-PWG) is working to develop consensus on important, fundamental concepts related to Big Data.

● Status

- The results are reported in the NIST Big Data Interoperability Framework series of volumes. Under the framework, seven volumes have been released by NIST, available here:

http://bigdatawg.nist.gov/V1_output_docs.php

4. IEEE Standards Association

● Background:

- The IEEE Standards Association introduced a number of standards

related to big-data applications.

● Status:

The following standard is under development:

- IEEE P2413

"IEEE Standard for an Architectural Framework for the Internet of Things (IoT)" defines the relationships among devices used in industries, including transportation and health care. It also provides a blueprint for data privacy, protection, safety, and security, as well as a means to document and mitigate architecture divergence.^[8]

5. ITU

● Background:

- The International Telecommunications Union (ITU) has announced its first standards for big data services, entitled 'Recommendation ITU-T Y.3600 "Big data - cloud computing based requirements and capabilities"', recognizing the need for strong technical standards considering the growth of big data to ensure that processing tools are able to achieve powerful results in the areas of collection, analysis, visualization, and more.^[9]

● Objective:

- Recommendation Y.3600 provides requirements, capabilities and use cases of

cloud computing based big data as well as its system context. Cloud computing

based big data provides the capabilities to collect, store, analyze, visualize and

manage varieties of large volume datasets, which cannot be rapidly transferred

and analysed using traditional technologies.^[10]

- It also outlines how cloud computing systems can be leveraged to provide big-data services.

● Status:

- The standard was relseased in the year 2015 and is avaiabe here: http://www.itu.int/rec/T-REC-Y.3600-201511-I .

Smart cities

1. ISO Standards on Smart Cities

● Background:

- ISO, the International Organization for Standardization, established a strategic advisory group in 2014 for smart cities, comprised of a wide range of international experts to advise ISO on how to coordinate current and future Smart City standardization activities, in cooperation with other international standards organizations, to benefit the market.^[11]

- Seven countries, China, Germany, UK, France, Japan, Korea and USA, are currently involved in the research.

● Objective:

- The main aims of which are to formulate a definition of a Smart City

- Identify current and future ISO standards projects relating to Smart Cities

- Examine involvement of potential stakeholders, city requirements, potential interface problems. ^[12]

● Status:

- ISO/TC 268, which is focused on sustainable development in communities, has one working group developing city indicators and other developing metrics for smart community infrastructures. In early 2016 this committee will be joined by another - IEC - systems committee. The first standard produced by ISO/TC 268 is ISO/TR 37150:2014.

- ISO/TR 37150:2014 Smart community infrastructures -- Review of existing activities relevant to metrics: this standard provides a review of existing activities relevant to metrics for smart community infrastructures. The concept of smartness is addressed in terms of performance relevant to technologically implementable solutions, in accordance with sustainable development and resilience of communities, as defined in ISO/TC 268. ISO/TR 37150:2014 addresses community infrastructures such as energy, water, transportation, waste and information and communications technology (ICT). It focuses on the technical aspects of existing activities which have been published, implemented or discussed. Economic, political or societal aspects are not analyzed in ISO/TR 37150:2014.^[13]

- ISO 37120:2014 provides city leaders and citizens a set of clearly defined city performance indicators and a standard approach for measuring each. Though some indicators will be more helpful for cities than others, cities can now consistently apply these indicators and accurately benchmark their city services and quality of life against other cities.^[14] This new international standard was developed using the framework of the Global City Indicators Facility (GCIF) that has been extensively tested by more than 255 cities worldwide. This is a demand-led standard, driven and created by cities, for cities. ISO 37120 defines and establishes definitions and methodologies for a set of indicators to steer and measure the performance of city services and quality of life. The standard includes a comprehensive set of 100 indicators - of which 46 are core - that measures a city's social, economic, and environmental performance. ^[15]

The GCIF global network, supports the newly constituted World Council on City Data - a sister organization of the GCI/GCIF - which allows for independent, third party verification of ISO 37120 data.^[16]

- ISO/TS 37151 and ISO/TR 37152 Smart community infrastructures -- Common framework for development & operation: outlines 14 categories of basic community needs (from the perspective of residents, city managers and the environment) to measure the performance of smart community infrastructures. These are typical community infrastructures like energy, water, transportation, waste and information and communication technology systems, which have been optimized with sustainable development and resilience in mind. ^[17] The committee responsible for this document is ISO/TC 268, Sustainable development in communities, Subcommittee SC 1, Smart community infrastructures. The objective is to develop international consensus on a harmonised metrics to evaluate the smartness of key urban infrastructure.^[18]

- ISO 37101 Sustainable development of communities -- Management systems -- Requirements with guidance for resilience and smartness : By setting out requirements and guidance to attain sustainability with the support of methods and tools including smartness and resilience, it can help communities improve in a number of areas such as: Developing holistic and integrated approaches instead of working in silos (which can hinder sustainability), Fostering social and environmental changes, Improving health and wellbeing, Encouraging responsible resource use and Achieving better governance. ^[19] The objective is to develop a Management System Requirements Standard reflecting consensus on an integrated, cross-sector approach drawing on existing standards and best practices.

- ISO 37102 Sustainable development & resilience of communities - Vocabulary . The objective is to establish a common set of terms and definitions for standardization in sustainable development, resilience and smartness in communities, cities and territories since there is pressing need for harmonization and clarification. This would provide a common language for all interested parties and stakeholders at the national, regional and international levels and would lead to improved ability to conduct benchmarks and to share experiences and best practices.

- ISO/TR 37121 Inventory & review of existing indicators on sustainable development & resilience in cities : A common set of indicators useable by every city in the world and covering most issues related to sustainability, resilience and quality of life in cities. ^[20]

- ISO/TR 12859:2009 gives general guidelines to developers of intelligent transport systems (ITS) standards and systems on data privacy aspects and associated legislative requirements for the development and revision of ITS standards and systems. ^[21]

2. International Organisation for Standardization: ISO/IEC JTC 1 Working group on Smart Cities (WG 11 )

● Background:

- Serve as the focus of and proponent for JTC 1's Smart Cities standardization program and works for development of foundational standards for the use of ICT in Smart Cities - including the Smart City ICT Reference Framework and an Upper Level Ontology for Smart Cities - for guiding Smart Cities efforts throughout JTC 1 upon which other standards can be developed.^[22]

● Objective:

- To develop a set of ICT related indicators for Smart Cities in collaboration with ISO/TC 268.

- Identify JTC 1 (and other organization) subgroups developing standards and related material that contribute to Smart Cities.

- Grow the awareness of, and encourage engagement in, JTC 1 Smart Cities standardization efforts within JTC 1.

● Status

- Ms Yuan Yuan is the Convenor of this Working group.

- The purpose was to provide a report with recommendations to the JTC 1 Plenary in the year 2014, to which a preliminary report was submitted. ^[23]

3. International Organisation for Standardization: ISO/IEC JTC 1 Study Group (SG1) on Smart Cities

● Background:

- The Study Group (SG) - Smart Cities was established in 2013^[24] SG 1 will explicitly consider the work going on in the following committees: ISO/TMB/AG on Smart Cities, IEC/SEG 1, ITU-T/FG SSC and ISO/TC 268. ^[25]

● Objective :

- To examine the needs and potentials for standardization in this area.

● Status:

- SG 1 is paying particular attention to monitoring cloud computing activities, which it sees as the key element of the Smart Cities infrastructure. DIN's Information Technology and Selected IT Applications Standards Committee (NIA (www.nia.din.de)) is formally responsible for ISO/IEC JTC1 /SG 1, but an autonomous national mirror committee on Smart Cities does not yet exist and the work is being overseen by DIN's Smart Grid steering body. ^[26]

- A preliminary report has been released in the 2014, available here- http://www.iso.org/iso/smart_cities_report-jtc1.pdf

4. ITU

● Background:

- ITU members have established an ITU-T Study Group titled "ITU-T Study Group 20: IoT and its applications, including smart cities and communities" ^[27]

- ITU-T has also established a Focus Group on Smart Sustainable Cities (FG-SSC).

● Objective:

- The study group will address the standardization requirements of Internet of Things (IoT) technologies, with an initial focus on IoT applications in smart cities.

- The focus group shall assess the standardization requirements of cities aiming to boost their social, economic and environmental sustainability through the integration of information and communication technologies (ICTs) in their infrastructures and operations.

- The Focus Group will act as an open platform for smart-city stakeholders - such as municipalities; academic and research institutes; non-governmental organizations (NGOs); and ICT organizations, industry forums and consortia - to exchange knowledge in the interests of identifying the standardized frameworks needed to support the integration of ICT services in smart cities.^[28]

● Status:

- The study group will develop standards that leverage IoT technologies to address urban-development challenges.

- The FG-SSC concluded its work in May 2015 by approving 21 Technical Specifications and Reports. ^[29]

- So far, ITU-T SG 5 FG-SSC has issued the following reports- Technical report "An overview of smart sustainable cities and the role of information and communication technologies", Technical report "Smart sustainable cities: an analysis of definitions", Technical report "Electromagnetic field (EMF) considerations in smart sustainable cities", Technical specifications "Overview of key performance indicators in smart sustainable cities", Technical report "Smart water management in cities".^[30]

5. PRIPARE Project :

● Background:

- The 7001 - PRIPARE Smart City Strategy is to to ensure that ICT solutions integrated in EIP smart cities will be compliant with future privacy regulation.

- PRIPARE aims to develop a privacy and security-by-design software and systems engineering methodology, using the combined expertise of the research community and taking into account multiple viewpoints (advocacy, legal, engineering, business).

● Objective:

- The mission of PRIPARE is to facilitate the application of a privacy and security-by-design methodology that will contribute to the advent of unhindered usage of Internet against disruptions, censorship and surveillance, support its practice by the ICT research community to prepare for industry practice and foster risk management culture through educational material targeted to a diversity of stakeholders.

● Status:

- Liaison is currently on-going so that it becomes a standard (OASIS and ISO).^[31]

6. BSI-UK

● Background:

- In the UK, the British Standards Institution (BSI) has been commissioned by the UK Department of Business, Innovation and Skills (BIS) to conceive a Smart Cities Standards Strategy to identify vectors of smart city development where standards are needed.

- The standards would be developed through a consensus-driven process under the BSI to ensure good practise is shared between all the actors. ^[32]

● Objective:

The BIS launched the City's Standards Institute to bring together cities and key

industry leaders and innovators :

- To work together in identifying the challenges facing cities,

- Providing solutions to common problems, and

- Defining the future of smart city standards.^[33]

● Status:

The following standards and publications help address various issues for a city to

become a smart city:

- The development of a standard on Smart city terminology (PAS 180)

- The development of a Smart city framework standard (PAS 181)

- The development of a Data concept model for smart cities (PAS 182)

- A Smart city overview document (PD 8100)

- A Smart city planning guidelines document (PD 8101)

- BS 8904 Guidance for community sustainable development provides a decision-making framework that will help setting objectives in response to the needs and aspirations of city stakeholders

- BS 11000 Collaborative relationship management

- BSI BIP 2228:2013 Inclusive urban design - A guide to creating accessible public spaces.

7. Spain

● Background:

- AENOR, the Spanish standards developing organization (SDO), has issued two new standards on smart cities: the UNE 178303 and UNE-ISO 37120. These standards joined the already published UNE 178301.

● Objective:

- The texts, prepared by the Technical Committee of Standardization of AENOR on Smart Cities (AEN / CTN 178) and sponsored by the SETSI (Secretary of State for Telecommunications and Information Society of the Ministry of Industry, Energy and Tourism), aim to encourage the development of a new model of urban services management based on efficiency and sustainability.

● Status:

Some of the standards that have been developed are:

- UNE 178301 on Open Data evaluates the maturity of open data created or held by the public sector so that its reuse is provided in the field of Smart Cities.

- UNE 178303 establishes the requirements for proper management of municipal assets.

- UNE-ISO 37120 which collects the international urban sustainability indicators.

- Following the publication of these standards, 12 other draft standards on Smart Cities have just been made public, most of them corresponding to public services such as water, electricity and telecommunications, and multiservice city networks. ^[34]

8. China

● Background:

Several national standardization committees and consortia have started

standardization work on Smart Cities, including:

- China National IT Standardization TC (NITS),

- China National CT Standardization TC,

- China National Intelligent Transportation System Standardization TC,

- China National TC on Digital Technique of Intelligent Building and Residence Community of Standardization Administration, China Strategic Alliance of Smart City Industrial Technology Innovation^[35]

● Objective:

- In the year 2014, all the ministries involved in building smart cities in China joined with the Standardization Administration of China to create working groups whose job is to manage and standardize smart city development, though their activities have not been publicized. ^[36]

● Status:

- China will continue to promote international standards in building smart cities and improve the competitiveness of its related industries in global market.

- Also, China's Standardization Administration has joined hands with National Development and Reform Commission, Ministry of Housing and Urban-Rural Development and Ministry of Industry and Information Technology in establishing and implementing standards for smart cities.

- When building smart cities, the country will adhere to the ISO 37120 and by the year 2020, China will establish 50 national standards on smart cities. ^[37]

9. Germany

● Background :

- Member of European Innovation Partnership (EIP) for Smart Cities and Communities DKE (German Commission for Electrical, Electronic & Information Technologies) and DIN (GermanInstitute for Standardization) have developed a joint roadmap and Smart Cities recommendations for action in Germany.

● Objective:

- Its purpose is to highlight the need for standards and to serve as a strategic template for national and international standardization work in the field of smart city technology.

- The Standardization Roadmap highlights the main activities required to create smart cities. ^[38]

● Status:

- An updated version of the standardization roadmap was released in the year 2015. ^[39]

10. Poland

● Background:

- A coordination group on Smart and Sustainable Cities and Communities (SSCC) was set up in the beginning of 2014 to monitor any national standardization activities.

● Objective:

- It was decided to put forward a proposal to form a group at the Polish Committee for Standardization (PKN) providing recommendations for smart sustainable city standardization in Poland.

● Status:

It has two thematic groups:

- GT 1-2 on terminology and Technical Bodies in PKN Its scope covers a collection of English terms and their Polish equivalents related to smart and sustainable development of cities and communities to allow better communication among various smart city stakeholders. This includes the preparation of the list of Technical Bodies (OT) in PKN involved in standardization activities related to specific aspects of smart and sustainable local development and making proposals concerning the allocation of standardization works to the relevant OT in PKN.

- GT 3 for gathering information and the development and implementation of a work programme Its scope includes identifying stakeholders in Poland, and gathering information on any national "smart city" initiatives having an impact on environment-friendly development, sustainability, and liveability of a city. The group is also tasked with developing a work programme for GZ 1 based on identified priorities for Poland. Finally, its aim is to conduct communication and dissemination of activities to make the results of GZ 1 visible. ^[40]

11. Europe

● Background:

- In 2012, the European standardization organizations CEN and CENELEC founded the Smart and Sustainable Cities and Communities Coordination Group (SSCC-CG), which is a Coordination Group established to coordinate standardization activities and foster collaboration around standardization work. ^[41]

● Objective:

- The aim of the CEN-CENELEC-ETSI (SSCC-CG) is to coordinate and promote European standardization activities relating to Smart Cities and to advise the CEN and CENELEC (Technical) and ETSI Boards on standardization activities in the field of Smart and Sustainable Cities and Communities.

- The scope of the SSCC-CG is to advise on European interests and needs relating to standardization on Smart and Sustainable cities and communities.

● Status:

- Originally conceived to be completed by the end of 2014, SSCC-CG's mandate has been extended by the European standards organizations CEN, CENELEC and ETSI by a further two years and will run until the end of 2016.^[42]

- The SSCC-CG does not develop standards, but reports directly to the management boards of the standardization organizations and plays an advisory role. Current members of the SSCC.CG include representatives of the relevant technical committees, the CEN/CENELEC secretariat, the European Commission, the European associations and the national standardization organizations.^[43]

- CEN/CENELEC/ETSI Joint Working Group on Standards for Smart Grids: The aim of this document is to provide a strategic report which outlines the standardization requirements for implementing the European vision of smart grids, especially taking into account the initiatives by the Smart Grids Task Force of the European Commission. It provides an overview of standards, current activities, fields of action, international cooperation and strategic recommendations^[44]

12. Singapore

● Background:

- In the year 2015, SPRING Singapore, the Infocomm Development Authority of Singapore (IDA) and the Information Technology Standards Committee (ITSC), under the purview of the Singapore Standards Council (SSC), have laid out an Internet of Things (IoT) Standards Outline in support of Singapore's Smart Nation initiative.

● Objective:

- Realising importance of standards in laying the foundation for the nation empowered by big data, analytics technology and sensor networks in light of Singapore's vision of becoming a Smart Nation.

● Status:

Three types of standards - sensor network standards, IoT foundational standards and domain-specific standards - have been identified under the IoT Standards Outline. Singapore actively participates in the ISO Technical Committee (TC) working on smart city standards.^[45]

Expo

The show catered to manufacturers, developers and technology leaders interested in the domestic as well as global markets by displaying their products & services. EFY Expo was a catalyst for  accelerated growth and value addition, acquisition of technology and joint ventures between Indian and global players to enable growth of Electronic Manufacturing in the country.

Conference
CIS had the opportunity to attend the conference on Smart Cities on the 13th with experts discussing Smart Governance, Risk Assessment of Iot, Role of IoT in Smart Cities, and building Smart Cities with everything as a service.

The session started with a talk on building secure and flexible IoT platforms, where the need to focus on risk and security was emphasised. Several issues which require attention from the security perspective were raised, including: the focus must be on end-to-end security with IoT being present everywhere. Secondly, there must be IoT resilient standards addressing authentication and device management, and the Industry and Government must adopt must open standards to make the ecosystem flexible.  Also, the platforms must be secured and employ encryption to ensure trusted execution of software.

This was followed by a session on Smart Governance, discussing the changing nature of society where we see people moving from being connected with people to now being connected to devices. From the perspective of smart governance, the talk was divided into segments like Government to Government, Government to Business, Government to Employees and Government to Citizens. For smart cities, several e-governance initiatives have been undertaken so far, apart from e-delivery of services. After the Smart Cities Mission was announced, the Central Government sent several indicators of smart governance to the State Governments like : telecare (for example Karnataka had telejob portal), smart parking, smart grids, etc. From the business point of view, areas to be considered for building in-house competence for companies to build efficient and successful smart cities were suggested, some of them being: smarter education, buildings, environment, transportation, etc. It was suggested that smart governance can be ensured by regular measurement of the outcomes, redefining the gaps and analysis of these gaps with clearly laid policies. The key challenges to implementation of smart governance include :

• The inherent IoT challenges
• Government departments working in silos
• Lack of clarity in objectives
• Lack of transparency
• No standardized platforms
• Data privacy- the issue of personal data being stored in Government repository
• Scalable infrastructure
• Growing population

A survey was done to study the success rate of e-governance projects in India, where it was found that  50% of them were complete failures, while 35% were partial failures. Therefore, it becomes important to ponder over these challenges which may create a roadblock to smart governance raising concerns on projects like smart cities.

RIOT-Risk assessment of Internet of Things-  A Session to understand the security issue in IoT and discuss about secure IoT implementation. In smart cities, IoT has huge potential which may face roadblocks due to lack of open platforms, lack of an ecosystem of sensors, gateways, platforms and the challenges of integration with existing systems. The IoT security issues, on the other hand, like absence of set standards, lack of motivation for security and little awareness about such issues need due attention. This requires levels of check, for example, at the IoT surface level  in devices, the cloud or the mobile. Another important area here becomes the issue of data privacy and security for IoT implementation.

Everything as a service- An insight into what it takes to build a smart city with EaaS and understand the various components that go into this, how they interact and how it can be implemented. This session highlighted the importance of data in a city, as it becomes very useful to provide information like-about disasters, enabling the Government to make plans and take actions accordingly, information about the traffic in the city, the waste level, city health map, etc. With multiple actors using the same data, the use of such information in a smart city varies across various sectors like

• Smart Government- for Transparency, accountability and better decision-making
• Smart Mobility- Intelligent traffic, management, safer roads
• Smart Healthcare- health maps, better emergency services
• Smart Living-  safety and security, better quality of life
• Smart Utilities- Resource conservation, Resilience
• Smart Environment- Better waste, management, air quality monitoring.

To use everything as a service, it is considered as an attribute/state where there is a nexus between the users and state. For this, information is collected on the basis of data captured so far, or new data is captured by opening up existing sources like telecom operators, machines, citizens , hospitals, etc., or install new sensors to generate new data. Here, the need for data privacy and government policy was emphasized upon . For EaaS, there is an urgent need to standardize the interface between the sensor network, data publisher, insight providers and service provider in a smart city.

The conference gave insight into the perspective of the industry about smart cities, along with  the actors involved, issues and challenges envisioned by private companies in the development of smart cities in India. The companies see role of IoT as an integral part of the project, with data security, privacy and need to formulate/adopt standards for implementation of IoT in the new as well as the existing structure key for the Smart Cities Mission in India.

The article was published in Bangalore Mirror on February 9, 2016.

In their notes, TRAI has explained, "In India, given that a majority of the population are yet to be connected to the Internet, allowing service providers to define the nature of access would be equivalent of letting TSPs shape the users' Internet experience." Not just that, violation of this ban would cost Rs 50,000 every day.

Facebook's earlier plan was to launch Free Basics in India by making a few websites—that are mostly partners with Facebook—available for free. The company not just advertised heavily on billboards and commercials across the nation, it also embedded a campaign inside Facebook asking users to vote in support of Free Basics.

TRAI criticised Facebook's attempt for such a manipulative public provocation. However, Facebook was heavily criticised by many policy and Internet advocates, including non-profits groups like Free Software Movement of India and Savetheinternet.in campaign.

The latter two collectives were strongly discouraging Free Basics by bringing public opinion wherein Savetheinternet.org was used to send over 10 lakh emails to TRAI to disallow Free Basics.

Furthermore 500 start ups including major ones like Cleartrip, Zomato, Practo, Paytm and Cleartax also wrote to prime minister Narendra Modi requesting continued support for Net Neutrality — a concept that advocates equal treating of websites — on the Republic Day.

Stand-up comedy groups like AIB and East India Comedy had created humorous but informative videos explaining the regulatory debate and supporting net neutrality which went viral.

Technology critic and Quartz writer Alice Truong reacted saying: "Zuckerberg almost portrays net neutrality as a first-world problem that doesn't apply to India because having some service is better than no service."

In the light of differential pricing, news portal Medianama's founder Nikhil Pawa, in his opinion piece in Times of India, emphasised the way Aircel in India, Grameenphone in Bangladesh and Orange in Africa were providing free access to Internet with a sole motif of access to Internet, and criticised the walled Internet of Facebook that confines users inside Facebook only.

Had the differential pricing been allowed, it would have affected start ups and content-based smaller companies adversely, as they could never have managed to pay the high price to a partner service provider to make their service available for free.

On the other hand, tech-giants like Facebook could have easily managed to capture the entire market. Since the inception of the Facebook-run non-profit Internet.org has run into a lot of controversies because of the hidden motive behind the claimed support for social cause.

The decision by the government has been welcomed largely in the country and outside.

In support of the move, Web We Want programme manager at the World Wide Web Foundation, Renata Avila, has shared saying,

"As the country with the second largest number of Internet users worldwide, this decision will resonate around the world.

"It follows a precedent set by Chile, the United States, and others which have adopted similar net neutrality safeguards. The message is clear: We can't create a two-tier Internet — one for the haves, and one for the have-nots. We must connect everyone to the full potential of the open Web."

The first part of the series can be accessed here.

Background

The current data privacy protection framework across most jurisdictions is built around a rights based approach which entrusts the individual with having the wherewithal to make informed decisions about her interests and well-being.^[1] In his book, The Phantom Public, published in 1925, Walter Lippmann argues that the rights based approach is based on the idea of a sovereign and omnicompetent citizens, who can direct public affairs, however, this idea is a mere phantom or an abstraction. ^[2] Jonathan Obar, Assistant Professor of Communication and Digital Media Studies in the Faculty of Social Science and Humanities at University of Ontario Institute of Technology, states that Lippmann's thesis remains equally relevant in the context of current models of self-management, particularly for privacy.^[3] In the previous post, Scott Mason and I had looked at the limitations of a 'notice and consent' regime for privacy governance. Having established the deficiencies of the existing framework for data protection, I will now look at some of the alternatives proposed that may serve to address these issues.

In this article, I will look at paternalistic solutions posed as alternatives to the privacy self-management regime. I will look at theories of paternalism and libertarianism in the context of privacy and with reference to the works of some of the leading philosophers on jurisprudence and political science. The paper will attempt to clarify the main concepts and the arguments put forward by both the proponents and opponents of privacy paternalism. The first alternative solution draws on Anita Allen's thesis in her book, Unpopular Privacy,^[4] which deals with the questions whether individuals have a moral obligation to protect their own privacy. Allen expands the idea of rights to protect one's own self interests and duties towards others to the notion that we may have certain duties not only towards others but also towards ourselves because of their overall impact on the society. In the next section, we will look at the idea of 'libertarian paternalism' as put forth by Cass Sunstein and Richard Thaler^[5] and what its impact could be on privacy governance.

Paternalism

Gerald Dworkin, Professor Emeritus at University of California, Davis, defines paternalism as "interference of a state or an individual with another person, against their will, and defended or motivated by a claim that the person interfered with will be better off or protected from harm." ^[6] Any act of paternalism will involve some limitation on the autonomy of the subject of the regulation usually without the consent of the subject, and premised on the belief that such act shall either improve the welfare of the subject or prevent it from diminishing.^[7] Seana Shiffrin, Professor of Philosophy and Pete Kameron Professor of Law and Social Justice at UCLA, takes a broader view of paternalism and includes within its scope not only matters which are aimed at improving the subject's welfare, but also the replacement of the subject's judgement about matters which may otherwise have lied legitimately within the subject's control.^[8] In that sense, Shiffrin's view is interesting for it dispenses with both the requirement for active interference, and such act being premised on the subject's well-being.

The central premise of John Stuart Mill's On Liberty is that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. "His own good, either physical or moral," according to Mill, "is not a sufficient warrant." However, various scholars over the years have found Mill's absolute prohibition problematic and support some degree of paternalism. John Rawls' Principle of Fairness, for instance has been argued to be inherently paternalistic. If one has to put it in a nutshell, the aspect about paternalism that makes it controversial is that it involves coercion or interference, which in any theory of normative ethics or political science needs to be justified based on certain identified criteria. Staunch opponents of paternalism believe that this justification can never be met. Most scholars however, do not argue that all forms of paternalism are untenable and the bulk of scholarship on paternalism is devoted to formulating the conditions under which this justification is satisfied.

Paternalism interferes with self-autonomy in two ways according to Peter de Marneffe, the Professor of Philosophy at the School of Historical, Philosophical and Religious Studies, Arizona State University.^[9] The first is the prohibition principle, under which a person's autonomy is violated by being prohibited from making a choice. The second is the opportunity principle which undermines the autonomy of a person by reducing his opportunities to make a choice. Both the cases should be predicated upon a finding that the paternalistic act will lead to welfare or greater autonomy. According to de Marneffe, there are three conditions under which such acts of paternalism are justified - the benefits of welfare should be substantial, evident and must outweigh the benefits of self-autonomy.^[10]

There are two main strands of arguments made against paternalism.^[11] The first argues that interference with the choices of informed adults will always be an inferior option to letting them decide for themselves, as each person is the 'best judge' of his or her interests. The second strand does not engage with the question about whether paternalism can make better decisions about individuals, but states that any benefit derived from the paternalist act is outweighed by the harm of violation of self-autonomy. Most proponents of soft-paternalism build on this premise by trying to demonstrate that not all paternalistic acts violate self-autonomy. There are various forms of paternalism that we do not question despite them interfering with our autonomy - seat belt laws and restriction of tobacco advertising being a few of them. If we try to locate arguments for self-autonomy in the Kantian framework, it refers not just to the ability to do what one chooses, but to rational self-governance.^[12] This theory automatically "opens the door for justifiable paternalism."^[13] In this paper, I assume that certain forms of paternalism are justified. In the remaining two section, I will look at two different theories advocating greater paternalism in the context of privacy governance and try to examine the merits and issues with such measures.

A moral obligation to protect one's privacy

Modest Paternalism

In her book, Unpopular Privacy,^[14] Anita Allen states that enough emphasis is not placed by people on the value of privacy. The right of individuals to exercise their free will and under the 'notice and consent' regime, give up their rights to privacy as they deem fit is, according to her, problematic. The data protection law in most jurisdictions, is designed to be largely value-neutral in that it does not sit on judgement on what is the nature of information that is being revealed and how the collector uses it. Its primary emphasis is on providing the data subject with information about the above and allowing him to make informed decisions. In my previous post, Scott Mason and I had discussed that with online connectivity becomes increasingly important to participation in modern life, the choice to withdraw completely is becoming less and less of a genuine option.^[15] Lamenting that people put little emphasis on privacy and often give away information which, upon retrospection and due consideration, they would feel, they ought not have disclosed, Allen proposes what she calls 'modest paternalism' in which regulations mandate that individuals do not waive their privacy is certain limited circumstances.

Allen acknowledges the tension between her arguments in favor of paternalism and her avowed support for the liberal ideals of autonomy and that government interference should be limited, to the extent possible. However, she tries to make a case for greater paternalism in the context of privacy. She begins by categorizing privacy as a "primary good" essential for "self respect, trusting relationships, positions of responsibility and other forms of flourishing." In another article, Allen states that this "technophilic generation appears to have made disclosure the default rule of everyday life."^[16] Relying on various anecdotes and examples of individuals' disregard for privacy, she argues that privacy is so "neglected in contemporary life that democratic states, though liberal and feminist, could be justified in undertaking a rescue mission that includes enacting paternalistic privacy laws for the benefit of un-eager beneficiaries." She does state that in most cases it may be more advantageous to educate and incentivise individuals towards making choices that favor greater privacy protection. However, in exceptional cases, paternalism would be justified as a tool to ensure greater privacy.

A duty towards oneself

In an article for the Harvard Symposium on Privacy in 2013, Allen states that laws generally provide a framework built around rights of individuals that enable self-protection and duties towards others. G A Cohen describes Robert Nozick's views which represents this libertarian philosophy as follows: "The thought is that each person is the morally rightful owner of himself. He possesses over himself, as a matter of moral right, all those rights that a slaveholder has over a chattel slave as a matter of legal right, and he is entitled, morally speaking, to dispose over himself in the way such a slaveholder is entitled, legally speaking, to dispose over his slave."^[17] As per the libertarian philosophy espoused by Nozick, everyone is licensed to abuse themselves in the same manner slaveholders abused their slaves.

Allen asks the question whether there is a duty towards oneself and if such a duty exists, should it be reflected in policy or law. She accepts that a range of philosophers consider the idea of duties to oneself as illogical or untenable. ^[18] Allen, however relies on the works of scholars such as Lara Denis, Paul Eisenberg and Daniel Kading who have located such a duty. She develops a schematic of two kinds of duties - first order duties that requires we protect ourselves for the sake of others, and second order, derivative duties that we protect ourself. Through the essay, she relies on the Kantian framework of categorical imperative to build the moral thrust of her arguments. Kantian view of paternalism would justify those acts which interfere with an individual's autonomy in order to prevent her from exercising her autonomy irrationally, and draw her towards rational end that agree with her conception of good.^[19] However, Allen goes one step further and she locates the genesis for duties to both others (perfect duties) and oneself (imperfect duties) in the categorical imperative . Her main thesis is that there are certain situations where we have a moral duty to protect our own privacy where failure to do so would have an impact on either specific others or the society, at large.

Issues

Having built this interesting and somewhat controversial premise, Allen does not sufficiently expand upon it to present a nuanced solution. She provides a number of anecdotes but does not formulate any criteria for when privacy duties could be self-regarding. Her test for what kinds of paternalistic acts are justified is also extremely broad. She argues for paternalism where is protects privacy rights that "enhance liberty, liberal ways of life, well-being and expanded opportunity." She does not clearly define the threshold for when policy should move from incentives to regulatory mandate nor does she elaborate upon what forms paternalism would both serve the purpose of protecting privacy as well as ensuring that there is no unnecessary interference with the rights of individual.^[20]

Nudge and libertarian paternalism

What is nudge?

In 2006, Richard Thaler and Cass Sunstein published their book Nudge: Improving decisions about health, wealth and happiness. ^[21] The central thesis of the book is that in order to make most of decisions, we rely on a menu of options made available to us and the order and structure of choices is characterised by Thaler and Sunstein as "choice architecture." According to them, the choice architecture has a significant impact on the choices that we make. The book looks at examples from a food cafeteria, the position of restrooms and how whether the choice is to opt-in or opt-out influences the retirement plans that were chosen. This choice architecture influences our behavior without coercion or a set of incentives, as conventional public policy theory would have us expect. The book draws on work done by cognitive scientists such as Daniel Kahneman^[22] and Amos Tversky^[23] as well as Thaler's own research in behavioral economics. ^[24] The key takeaway from cognitive science and behavioral economics used in this book is that choice architecture influences our actions in anticipated ways and leads to predictably irrational behavior. Thaler and Sunstein believe that this presents a great potential for policy makers. They can tweak the choice architecture in their specific domains to influence the decisions made by its subjects and nudge them towards behavior that is beneficial to them and/or the society.

The great attraction of the argument made by Thaler and Sunstein is that it offers a compromise between forbearance and mandatory regulation. If we identify the two ends of the policy spectrum as - a) paternalists who believe in maximum interference through legal regulations that coerce behavior to meet the stated goals of the policy, and b) libertarians who believe in the free market theory that relies on the individuals making decisions in their best interests, 'nudging' falls somewhere in the middle, leading to the oxymoronic yet strangely apt phrase, "libertarian paternalism." The idea is to design choices in such as way that they influence decision-making so as to increase individual and societal welfare. In his book, The Laws of Fear, Cass Sunstein argues that the anti-paternalistic position is incoherent as "there is no way to avoid effects on behavior and choices."

The proponents of libertarian paternalism refute the commonly posed question about who decides the optimal and desirable results of choice architecture, by stating that this form of paternalism does not promote a perfectionist standard of welfare but an individualistic and subjective standard. According to them, choices are not prohibited, cordoned off or made to carry significant barriers. However, it is often difficult to conclude what it is that is better for the welfare of people, even from their own point of view. The claim that nudges lead to choices that make them better off by their own standards seems more and more untenable. What nudges do is lead people towards certain broad welfare which the choice-architects believe make the lives of people better in the longer term.^[25]

How nudges could apply to privacy?

Our previous post echoes the assertion made by Thaler and Sunstein that the traditional rational choice theory that assumes that individuals will make rationally optimal choices in their self interest when provided with a set of incentives and disincentives, is largely a fiction. We have argued that this assertion holds true in the context of privacy protection principles of notice and informed consent. Daniel Solove has argued that insights from cognitive science, particularly using the theory of nudge would be an acceptable compromise between the inefficacy of privacy self-management and the dangers of paternalism.^[26] His rationale is that while nudges influence choice, they are not overly paternalistic in that they still give the individual the option of making choices contrary to those sought by the choice architecture. This is an important distinction and it demonstrates that 'nudging' is less coercive than how we generally understand paternalistic policies.

One of the nudging techniques which makes a lot of sense in the context of the data protection policies is the use of defaults. It relies on the oft-mentioned status quo bias.^[27] This is mentioned by Thaler and Sunstein with respect to encouraging retirement savings plans and organ donation, but would apply equally to privacy. A number of data collectors have maximum disclosure as their default settings and effort in understanding and changing these settings is rarely employed by users. A rule which mandates that data collectors set optimal defaults that ensure that the most sensitive information is subjected to least degree of disclosure unless otherwise chosen by the user, will ensure greater privacy protection.

Ryan Calo and Dr. Victoria Groom explored an alternative to the traditional notice and consent regime at the Centre of Internet and Society, Stanford University.^[28] They conducted a two-phase experimental study. In the first phase, a standard privacy notice was compared with a control condition and a simplified notice to see if improving the readability impacted the response of users. In the second phase, the notice was compared with five notices strategies, out of which four were intended to enhance privacy protective behavior and one was intended to lower it. Shara Monteleone and her team used a similar approach but with a much larger sample size.^[29] One of the primary behavioral insights used was that when we do repetitive activities including accepting online terms and conditions or privacy notices, we tend to use our automatic or fast thinking instead to reflective or slow thinking.^[30] Changing them requires leveraging the automatic behavior of the individuals.

Alessandro Acquisti, Professor of Information Technology and Public Policy at the Heinz College, Carnegie Mellon University, has studied the application of methodologies from behavioral economics to investigate privacy decision-making.^[31] He highlights a variety of factors that distort decision-making such as - "inconsistent preferences and frames of judgment; opposing or contradictory needs (such as the need for publicity combined with the need for privacy); incomplete information about risks, consequences, or solutions inherent to provisioning (or protecting) personal information; bounded cognitive abilities that limit our ability to consider or reflect on the consequences of privacy-relevant actions; and various systematic (and therefore predictable) deviations from the abstractly rational decision process." Acquisti looks at three kinds of policy solutions taking the example of social networking sites collecting sensitive information- a) hard paternalistic approach which ban making visible certain kind of information on the site, b) a usability approach that entails designing the system in way that is most intuitive and easy for users to decide whether to provide the information, c) a soft paternalistic approach which seeks to aid the decision-making by providing other information such as how many people would have access to the information, if provided, and set defaults such that the information is not visible to others unless explicitly set by the user. The last two approaches are typically cited as examples of nudging approaches to privacy.

Another method is to use tools that lead to decreased disclosure of information. For example, tools like Social Media Sobriety Test^[32] or Mail Goggles^[33] serve to block the sites during certain hours set by user during which one expects to be at their most vulnerable, and the online services are blocked unless the user can pass a dexterity examination.^[34] Rebecca Belabako and her team are building privacy enhanced tools for Facebook and Twitter that will provide greater nudges in restricting who they share their location on Facebook and restricting their tweets to smaller group of people.^[35] Ritu Gulia and Dr. Sapna Gambhir have suggested nudges for social networking websites that randomly select pictures of people who will have access to the information to emphasise the public or private setting of a post.^[36] These approaches try to address the myopia bias where we choose immediate access to service over long term privacy harms.

The use of nudges as envisioned in the examples above is in some ways an extension of already existing research which advocates a design standard that makes the privacy notices more easily intelligible.^[37] However, studies show only an insignificant improvement by using these methods. Nudging, in that sense goes one step ahead. Instead of trying to make notices more readable and enable informed consent, the design standard will be intended to simply lead to choices that the architects deem optimal.

Issues with nudging

One of the primary justifications that Thaler and Sunstein put forward for nudging is that the choice architecture is ubiquitous. The manner in which option are presented to us impact how we make decision whether it was intended to do so or not, and that there is no such thing a neutral architecture. This inevitability, according to them, makes a strong case for nudging people towards choices that will lead to their well-being. However, this assessment does not support the arguments made by them that libertarian paternalism nudges people towards choices from their own point of view. It is my contention that various examples of libertarian paternalism, as put forth by Thaler and Sunstein, do in fact interfere with our self-autonomy as the choice architecture leads us not to options that we choose for ourselves in a fictional neutral environments, but to those options that the architects believe are good for us. This substitution of judgment would satisfy the definition by Seana Shiffron. Second, the fact that there is no such things as a neutral architecture, is by itself, not justification enough for nudging. If we view the issue only from the point of view of normative ethics, assuming that coercion and interference are undesirable, intentional interference is much worse than unintentional interference.

However, there are certain nudges that rely primarily on providing information, dispensing advice and rational persuasion.^[38] The freedom of choice is preserved in these circumstances. Libertarians may argue that even these circumstances the shaping of choice is problematic. This issue, J S Blumenthal-Barby argues, is adequately addressed by the publicity condition, a concept borrowed by Thaler and Sunstein from John Rawls.^[39] The principle states that officials should never use a technique they would be uncomfortable defending to the public; nudging is no exception. However, this seems like a simplistic solution to a complex problem. Nudges are meant to rely on inherent psychological tendencies, leveraging the theories about automatic and subconscious thinking as described by Daniel Kahneman in his book, "Thinking Fast, Thinking Slow."^[40] In that sense, while transparency is desirable it may not be very effective.

Other commentators also note that while behavioral economics can show why people make certain decisions, it may not be able to reliably predict how people will behave in different circumstances. The burden of extrapolating the observations into meaningful nudges may prove to be too heavy.^[41] However, the most oft-quoted criticism of nudging is that it will rely on officials to formulate the desired goals towards which the choice architecture will lead us.^[42] The judgments of these officials could be flawed and subject to influence by large corporations.^[43] These concerns echo the best judge argument made against all forms of paternalism, mentioned earlier in this essay. J S Blumenthal-Barby, Assistant Professor at the Center for Medical Ethics and Health Policy, Baylor College of Medicine, also examines the claim that the choice architects will be susceptible to the same biases while designing the choice environment.^[44] His first argument in response to this is that experts who extensively study decision-making may be less prone to these errors. Second, he argues that even with errors and biases, a choice architecture which attempts to the rights the wrongs of a random and unstructured choice environment is a preferable option.^[45]

Conclusion

Most libertarians will find the notion that individuals are prevented from sharing some information about themselves problematic. Anita Allen's idea about self-regarding duties is at odds how we understand rights and duties in most jurisdictions. Her attempt to locate an ethical duty to protect one's privacy, while interesting, is not backed by a formulation of how such a duty would work. While she relies largely on an Kantian framework, her definition of paternalism, as can be drawn from her writing is broader than that articulated by Kant himself. On the other hand, Thaler and Sunstein's book Nudge and related writings by them do attempt to build a framework of how nudging would work and answer some questions they anticipate would be raised against the idea of libertarian paternalism.

By and large, I feel that, Thaler and Sunstein's idea of libertarian paternalism could be justified in the context of privacy and data protection governance. It would be fair to say the first two conditions of de Marneffe under which such acts of paternalism are justified ^[46] are largely satisfied by nudges that ensures greater privacy protection. If nudges can ensure greater privacy protection, its benefits are both substantial and evident. However, the larger question is whether these purported benefits outweigh the costs of loss of self-autonomy. Given the numerous ways in which the 'notice and consent' framework is ineffective and leads to very little informed consent, it can be argued that there is little exercise of autonomy, to begin with, and hence, the loss of self-autonomy is not substantial. Some of the conceptual issues which doubt the ability of nudges to solve complex problems remain unanswered and we will have to wait for more analysis by both cognitive scientists and policy-makers. However, given the growing inefficacy of the existing privacy protection framework, it would be a good idea of begin using some insights from cognitive science and behavioral economics to ensure greater privacy protection.

The current value-neutrality of data protection law with respect of the kind of data collected and its use, and its complete reliance on the data subject to make an informed choice is, in my opinion, an idea that has run its course. Rather than focussing solely on the controls at the stage of data collection, I believe we need a more robust theory of how to govern the subsequent uses of data. This will is the focus of the next part of this series in which I will look at the greater use of risk-based approach to privacy protection.

The article by Sunil Abraham and Vidushi Marda was published by Asian Age on February 14, 2016.

What would have gone wrong if India’s telecom regulator Trai had decided to support programmes like Facebook’s Free Basics and Airtel’s Zero Rating instead of issuing the regulation that prohibits discriminatory tariffs? Here are possible scenarios to look at in case the discriminatory tarrifs were allowed as they are in some countries.

Possible impact on elections

Facebook would have continued to amass its product — eyeballs. Indian eyeballs would be more valuable than others for three reasons 1. Facebook would have an additional layer of surveillance thanks to the Free Basics proxy server which stores the time, the site url and data transferred for all the other destinations featured in the walled garden 2. As part of Digital India, most government entities will set up Facebook pages and a majority of the interaction with citizens would happen on the social media rather than the websites of government entities and, consequently, Facebook would know what is and what is not working in governance 3. Given the financial disincentive to leave the walled garden, the surveillance would be total.

What would this mean for democracies? Eight years ago, Facebook began to engineer the News Feed to show more posts of a user’s friends voting in order to influence voting behavior. It introduced the “I’m Voting” button into 61 million users’ feeds during the 2010 US presidential elections to increase voter turnout and found that this kind of social pressure caused people to vote. Facebook has also admitted to populating feeds with posts from friends with similar political views. During the 2012 Presidential elections, Facebook was able to increase voter turnout by altering 1.9 million news feeds.

Indian eyeballs may not be that lucrative in terms of advertising. But these users are extremely valuable to political parties and others interested in influencing elections. Facebook’s notifications to users when their friends signed on to the “Support Free Basics” campaign was configured so that you were informed more often than with other campaigns. In other words, Facebook is not just another player on their platform. Given that margins are often slim, would Facebook be tempted to try and install a government of its choice in India during the 2019 general elections?

In times of disasters

Most people defending Free Basics and defending forbearance as the regulatory response in 2015/16 make the argument that “95 per cent of Internet users in developing countries spend 95 per cent of their time on Facebook”.

This is not too far from the truth as LirneAsia demonstrated in 2012 with most people using Facebook in Indonesia not even knowing they were using the internet. In other words, they argue that regulators should ignore the fringe user and fringe usage and only focus on the mainstream. The cognitive bias they are appealing to is smaller numbers are less important.

Since all the sublime analogies in the Net Neutrality debate have been taken, forgive us for using the scatological. That is the same as arguing that since we spend only 5% of our day in toilets, only 5% of our home’s real estate should be devoted to them.

Everyone agrees that it is far easier to live in a house without a bedroom than a house without a toilet. Even extremely low probabilities or ‘Black Swan’ events can be terribly important! Imagine you are an Indian at the bottom of the pyramid. You cannot afford to pay for data on your phone and, as a result, you rarely and nervously stray out of the walled garden of Free Basics.

During a natural disaster you are able to use the Facebook Safety Check feature to mark yourself safe but the volunteers who are organising both offline and online rescue efforts are using a wider variety of platforms, tools and technologies.

Since you are unfamiliar with the rest of the Internet, you are ill equipped when you try to organise a rescue for you and your loved ones.

Content and carriage converge

Some people argue that TRAI should have stayed off the issue since the Competition Commission of India (CCI) is sufficient to tackle Net Neutrality harms. However it is unclear if predatory pricing by Reliance, which has only 9% market share, will cross the competition law threshold for market dominance? Interestingly, just before the Trai notification, the Ambani brothers signed a spectrum sharing pact and they have been sharing optic fibre since 2013.

Will a content sharing pact follow these carriage pacts? As media diversity researcher, Alam Srinivas, notes “If their plans succeed, their media empires will span across genres such as print, broadcasting, radio and digital. They will own the distribution chains such as cable, direct-to-home (DTH), optic fibre (terrestrial and undersea), telecom towers and multiplexes.”

What does this convergence vision of the Ambani brothers mean for media diversity in India? In the absence of net neutrality regulation could they use their dominance in broadcast media to reduce choice on the Internet? Could they use a non-neutral provisioning of the Internet to increase their dominance in broadcast media? When a single wire or the very same radio spectrum delivers radio, TV, games and Internet to your home — what under competition law will be considered a substitutable product? What would be the relevant market? At the Centre for Internet and Society (CI S), we argue that competition law principles with lower threshold should be applied to networked infrastructure through infrastructure specific non-discrimination regulations like the one that Trai just notified to protect digital media diversity.

Was an absolute prohibition the best response for TRAI? With only two possible exemptions — i.e. closed communication network and emergencies - the regulation is very clear and brief. However, as our colleague Pranesh Prakash has said, TRAI has over regulated and used a sledgehammer where a scalpel would have sufficed. In CIS’ official submission, we had recommended a series of tests in order to determine whether a particular type of zero rating should be allowed or forbidden. That test may be legally sophisticated; but as TRAI argues it is clear and simple rules that result in regulatory equity. A possible alternative to a complicated multi-part legal test is the leaky walled garden proposal. Remember, it is only in the case of very dangerous technologies where the harms are large scale and irreversible and an absolute prohibition based on the precautionary principle is merited.

However, as far as network neutrality harms go, it may be sufficient to insist that for every MB that is consumed within Free Basics, Reliance be mandated to provide a data top up of 3MB.

This would have three advantages. One, it would be easy to articulate in a brief regulation and therefore reduce the possibility of litigation. Two, it is easy for the consumer who is harmed to monitor the mitigation measure and last, based on empirical data, the regulator could increase or decrease the proportion of the mitigation measure.

This is an example of what Prof Christopher T. Marsden calls positive, forward-looking network neutrality regulation. Positive in the sense that instead of prohibitions and punitive measures, the emphasis is on obligations and forward-looking in the sense that no new technology and business model should be prohibited.

What is Net neutrality?

According to this principle, all service providers and governments should not discriminate between various data on the internet and consider all as one. They cannot give preference to one set of apps/ websites while restricting others.

• 2006: TRAI invites opinions regarding the regulation of net neutrality from various telecom industry bodies and stakeholdersFeb. 2012: Sunil Bharti Mittal, CEO of Bharti Airtel, suggests services like YouTube should pay an interconnect charge to network operators, saying that if telecom operators are building highways for data then there should be a tax on the highway
• July 2012: Bharti Airtel’s Jagbir Singh suggests large Internet companies like Facebook and Google should share revenues with telecom companies.
• August 2012: Data from M-Lab said You Broadband, Airtel, BSNL were throttling traffic of P2P services like BitTorrent
• Feb. 2013: Killi Kiruparani, Minister for state for communications and technology says government will look into legality of VoIP services like Skype
• June 2013: Airtel starts offering select Google services to cellular broadband users for free, fixing a ceiling of 1GB on the data
• Feb. 2014: Airtel operations CEO Gopal Vittal says companies offering free messaging apps like Skype and WhatsApp should be regulated
• August 2014: TRAI rejects proposal from telecom companies to make messaging application firms share part of their revenue with the carriers/government
• Nov. 2014: Trai begins investigation on Airtel implementing preferential access with special packs for WhatsApp and Facebook at rates lower than standard data rates
• Dec. 2014: Airtel launches 2G, 3G data packs with VoIP data excluded in the pack, later launches VoIP pack.
• Feb. 2015: Facebook launches Internet.org with Reliance communications, aiming to provide free access to 38 websites through single app
• March 2015: Trai publishes consultation paper on regulatory framework for over the top services, explaining what net neutrality in India will mean and its impact, invited public feedback
• April 2015: Airtel launches Airtel Zero, a scheme where apps sign up with airtle to get their content displayed free across the network. Flipkart, which was in talks for the scheme, had to pull out after users started giving it poor rating after hearing about the news
• April 2015: Ravi Shankar Prasad, Communication and information technology minister announces formation of a committee to study net neutrality issues in the country
• 23 April 2015: Many organisations under Free Software Movement of India protested in various parts of the country. In a counter measure, Cellular Operators Association of India launches campaign , saying its aim is to connect the unconnected citizens, demanding VoIP apps be treated as cellular operators
• 27 April 2015: Trai releases names and email addresses of users who responded to the consultation paper in millions. Anonymous India group, take down Trai’s website in retaliation, which the government could not confirm
• Sept. 2015: Facebook rebrands Internet.org as Free Basics, launches in the country with massive ads across major newspapers in the country. Faces huge backlash from public
• Feb. 2016: Trai rules in favour of net neutrality, barring telecom operators from charging different rates for data services.

The writers work at the Centre for Internet and Society, Bengaluru. CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world

Sedition is an offence that criminalizes speech that is construed to be disloyal to or threatening to the state. The main legal provision in India is section 124A of the Indian Penal Code that criminalizes speech that “brings or attempts to bring into hatred or contempt, or attempts or attempts to excite disaffection” towards the government. The law makes a distinction between “disapprobation” (lawful criticism of the government) and “disaffection” (expressing disloyalty or enmity which is proscribed).

The British introduced this law in 1898, as a part of their efforts to curb criticism of colonial rule, and to stamp out any dissent. Many famous nationalists including Bal Gangadhar Tilak and Mahatma Gandhi have been tried and imprisoned for sedition. After a spirited debate, the Indian Constitutional Assembly decided not to include ‘sedition’ as a specific exception to Article 19(1)(a). However section 124A IPC remained on the statute book. After the First Amendment to the Constitution and the introduction of the words “in the interests of public order” to the exceptions to Article 19(1)(a), it became extremely difficult to challenge the constitutionality of section 124A.

In 1962, the Supreme Court upheld the constitutionality of the law in the Kedarnath Singh case, but narrowed the scope of the law to acts involving intention or tendency to create disorder, or disturbance of law and order, or incitement to violence. Thus the Supreme Court provided an additional safeguard to the law: not only was constructive criticism or disapprobation allowed, but if the speech concerned did not have an intention or tendency to cause violence or a disturbance of law and order, it was permissible.

However, even though the law allows for peaceful dissent and constructive criticism, over the years various governments have used section 124A to curb dissent. The trial and conviction of the medical doctor and human rights activist Binayak Sen, led to a renewed call for the scrapping of this law. In the Aseem Trivedi case, where a cartoonist was arrested for his work around the theme of corruption, the Bombay High Court has laid down guidelines to be followed by the government in arrests under section 124A. The court reaffirmed the law laid down in Kedarnath Singh, and held that for a prosecution under section 124A, a legal opinion in writing must be obtained from the law officer of the district(it did not specify who this was) followed by a legal opinion in writing within two weeks from the state public prosecutor. This adds to the existing procedural safeguard under section 196 of the Code of Criminal Procedure (CrPC) that says that courts cannot take cognizance of offences punishable under section 124A IPC unless the Central or State government has given sanction or permission to proceed.

The serious nature of section 124A is seen in the light of the punishment associated with it. Section 124A is a cognizable (arrests can be made without a warrant), non-bailable and non-compoundable offence. Punishment for the offence can extend up to life imprisonment. Because of the seriousness of the offence, courts are often reluctant to grant bail. Sedition law is seen as an anachronism in many countries including the United Kingdom, and it has been repealed in most Western democracies.

IMPORTANT CASE LAW

Kedarnath Singh v. State of Bihar, AIR 1962 SC 955 Supreme Court, 5 Judges,

Medium: Offline

Brief Facts: Kedarnath Singh, a member of the Forward Communist Party, was prosecuted for sedition related to a speech that he made criticising the government for its capitalist policies. Singh challenged the constitutionality of the sedition law. The Supreme Court bunched Singh’s case with other similar incidents where persons were prosecuted under the sedition law.

Held: The law is constitutional and covered written or spoken words that had the implicit idea of subverting the government by violent means. However, this section would not cover words that were used as disapprobation of measures of the government that were meant to improve or alter the policies of the government through lawful means. Citizens can criticize the government as long as they are not inciting people to violence against the government with an intention to create public disorder. The court drew upon the Federal Court’s decision in Niharendru Dutt Majumdar where the court held that offence of sedition is the incitement to violence or the tendency or the effect of bringing a government established by law into hatred or contempt or creating disaffection in the sense of disloyalty to the state. While the Supreme Court upheld the validity of section 124A, it limited its application to acts involving intention or tendency to create disorder, or a disturbance of law and order, or incitement to violence.

Balwant Singh and Anr v. State of Punjab: AIR 1985 SC 1785

Brief Facts: The accused had raised the slogan “Khalistan Zindabad” outside a cinema hall just after the assassination of Prime Minister Indira Gandhi.

Held: The slogans raised by the accused had no impact on the public. Two individuals casually raising slogans could not be said to be exciting disaffection towards the government. Section 124A would not apply to the facts and circumstances of this case.

Sanskar Marathe v. State of Maharashtra & Ors, Criminal Public Interest Litigation No. 3 of 2015, Bombay High Court, 2 judges

Medium: Online and Offline

Brief Facts: The case arose out of the arrest of Aseem Trivedi, a political cartoonist who was involved with the India Against Corruption movement. Trivedi was arrested in 2012 in Mumbai for sedition and insulting the National Emblems Act. The court considered the question of how it could intervene to prevent the misuse of section 124A. Held: The cartoons were in the nature of political satire, and there was no allegation of incitement to violence, or tendency or intention to create public disorder. The Court issued guidelines to all police personnel in the form of preconditions for prosecutions under section 124A: Words, signs, or representations must bring the government into hatred or contempt, or must cause, or attempt to cause disaffection, enmity or disloyalty to the government. The words, signs or representation must also be an incitement to violence or must be intended or tend to create public disorder or a reasonable apprehension of public disorder. Words, signs or representations, just by virtue of being against politicians or public officials cannot be said to be against the government. They must show the public official as representative of the government. Disapproval or criticism of the government to bring about a change in government through lawful means does not amount to sedition. Obscenity or vulgarity by itself is not a factor to be taken into account while deciding if a word, sign or representation violates section 124A. In order to prosecute under section 124A, the government has to obtain a legal opinion in writing from the law officer of the district (the judgment does not specify who this is) and in the next two weeks, a legal opinion in writing from the public prosecutor of the state.

Article 19(2) of the Constitution authorises the government to impose, by law, reasonable restrictions upon the freedom of speech and expression “in the interests of… public order.” To understand the Supreme Court’s public order jurisprudence, it is important to break down the sub-clause into its component parts, and focus upon their separate meanings. Specifically, three terms are important: “reasonable restrictions”, “in the interests of”, and “public order”.

The Supreme Court’s public order jurisprudence can be broadly divided into three phases. Phase One (1949 – 1950), which we may call the pre-First Amendment Phase, is characterised by a highly speech-protective approach and a rigorous scrutiny of speech-restricting laws. Phase Two (1950 – 1960), which we may call the post-First Amendment Expansionist Phase, is characterised by a judicial hands-off approach towards legislative and executive action aimed at restricting speech. Phase Three (1960 - present day), which we may call the post-First Amendment Protectionist phase, is characterised by a cautious, incremental move back towards a speech-protective, rigorous-scrutiny approach. This classification is broad-brush and generalist, but serves as a useful explanatory device.

Before the First Amendment, the relevant part of Article 19(2) allowed the government to restrict speech that “undermines the security of, or tends to overthrow, the State.” The scope of the restriction was examined by the Supreme Court in Romesh Thappar vs State of Madras and Brij Bhushan vs State of Delhi, both decided in 1950. Both cases involved the ban of newspapers or periodicals, under state laws that authorised the government to prohibit the entry or circulation of written material, ‘in the interests of public order’. A majority of the Supreme Court struck down the laws. In doing so, they invoked the concept of “over-breadth”: according to the Court, “public order” was synonymous with public tranquility and peace, while undermining the security of, or tending to overthrow the State, referred to acts which could shake the very foundations of the State. Consequently, while acts that undermined or tended to overthrow the State would also lead to public disorder, not all acts against public order would rise to the level of undermining the security of the State. This meant that the legislation proscribed acts that, under Article 19(2), the government was entitled to prohibit, as well as those that it wasn’t. This made the laws “over-broad”, and unconstitutional. In a dissenting opinion, Fazl Ali J. argued that “public order”, “public tranquility”, “the security of the State” and “sedition” were all interchangeable terms, that meant the same thing.

In Romesh Thappar and Brij Bhushan, the Supreme Court also held that the impugned legislations imposed a regime of “prior restraint” – i.e., by allowing the government to prohibit the circulation of newspapers in anticipation of public disorder, they choked off speech before it even had the opportunity to be made. Following a long-established tradition in common law as well as American constitutional jurisprudence, the Court held that a legislation imposing prior restraint bore a heavy burden to demonstrate its constitutionality.

The decisions in Romesh Thappar and Brij Bhushan led to the passage of the First Amendment, which substituted the phrase “undermines the security of, or tends to overthrow, the State” with “public order”, added an additional restriction in the interests of preventing an incitement to an offence, and – importantly – added a the word “reasonable” before “restrictions”.

The newly-minted Article 19(2) came to be interpreted by the Supreme Court in Ramji Lal Modi vs State of UP (1957). At issue was a challenge to S. 295A of the Indian Penal Code, which criminalised insulting religious beliefs with an intent to outrage religious feelings of any class. The challenge made an over-breadth argument: it was contended that while some instances of outraging religious beliefs would lead to public disorder, not all would, and consequently, the Section was unconstitutional. The Court rejected this argument and upheld the Section. It focused on the phrase “in the interests of”, and held that being substantially broader than a term such as “for the maintenance of”, it allowed the government wide leeway in restricting speech. In other words, as long as the State could show that there was some connection between the law, and public order, it would be constitutional. The Court went on to hold that the calculated tendency of any speech or expression aimed at outraging religious feelings was, indeed, to cause public disorder, and consequently, the Section was constitutional. This reasoning was echoed in Virendra vs State of Punjab (1957), where provisions of the colonial era Press Act, which authorised the government to impose prior restraint upon newspapers, were challenged. The Supreme Court upheld the provisions that introduced certain procedural safeguards, like a time limit, and struck down the provisions that didn’t. Notably, however, the Court upheld the imposition of prior restraint itself, on the ground that the phrase “in the interests of” bore a very wide ambit, and held that it would defer to the government’s determination of when public order was jeopardised by speech or expression.

In Ramji Lal Modi and Virendra, the Court had rejected the argument that the State can only impose restrictions on the freedom of speech and expression if it demonstrates a proximate link between speech and public order. The Supreme Court had focused closely on the breadth of the phrase “in the interests of”, but had not subjected the reasonable requirement to any analysis. In earlier cases such as State of Madras vs V.G. Row, the Court had stressed that in order to be “reasonable”, a restriction would have to take into account the nature and scope of the right, the extent of infringement, and proportionality. This analysis failed to figure in Ramji Lal Modi and Virendra. However, in Superintendent, Central Prison vs Ram Manohar Lohia, the Supreme Court changed its position, and held that there must be a “proximate” relationship between speech and public disorder, and that it must not be remote, fanciful or far fetched. Thus, for the first time, the breath of the phrase “in the interests of” was qualified, presumably from the perspective of reasonableness. In Lohia, the Court also stressed again that “public order” was of narrower ambit than mere “law and order”, and would require the State to discharge a high burden of proof, along with evidence.

Lohia marks the start of the third phase in the Court’s jurisprudence, where the link of proximity between speech and public disorder has gradually been refined. In Babulal Parate vs State of Maharashtra (1961) and Madhu Limaye vs Sub-Divisional Magistrate (1970), the Court upheld prior restraints under S. 144 of the CrPC, while clarifying that the Section could only be used in cases of an Emergency. Section 144 of the CrPC empowers executive magistrates (i.e., high-ranking police officers) to pass very wide-ranging preventive orders, and is primarily used to prohibit assemblies at certain times in certain areas, when it is considered that the situation is volatile, and could lead to violence. In Babulal Parate and Madhu Limaye, the Supreme Court upheld the constitutionality of Section 144, but also clarified that its use was restricted to situations when there was a proximate link between the prohibition, and the likelihood of public dirsorder.

In recent years, the Court has further refined its proximity test. In S. Rangarajan vs P. Jagjivan Ram (1989), the Supreme Court required proximity to be akin to a “spark in a powder keg”. Most recently, in Arup Bhuyan vs State of Assam (2011), the Court read down a provision in the TADA criminalizing membership of a banned association to only apply to cases where an individual was responsible for incitement to imminent violence (a standard borrowed from the American case of Brandenburg).[GB1]

Lastly, in 2015,  we have seen the first instance of the application of Section 144 of the CrPC to online speech. The wide wording of the section was used in Gujarat to pre-emptively block mobile internet services, in the wake of Hardik Patel’s Patidar agitation for reservations. Despite the fact that website blocking is specifically provided for by Section 69A of the IT Act, and its accompanying rules, the Gujarat High Court upheld the state action.

The following conclusions emerge:

(1)  “Public Order” under Article 19(2) is a term of art, and refers to a situation of public tranquility/public peace, that goes beyond simply law-breaking

(2)  Prior restraint in the interests of public order is justified under Article 19(2), subject to a test of proximity; by virtue of the Gujarat High Court judgment in 2015, prior restraint extends to the online sphere as well

(3)  The proximity test requires the relationship between speech and public order to be imminent, or like a spark in a powder keg

Foreword

Tectonic shifts in technology and economic models have vastly expanded the opportunities for press freedom and the safety of journalists, opening new avenues for freedom of expression for women and men across the world. Today, more and more people are able to produce, update and share information widely, within and across national borders. All of this is a blessing for creativity, exchange and dialogue.

At the same time, new threats are arising. In a context of rapid change, these are combining with older forms of restriction to pose challenges to freedom of expression, in the shape of controls not aligned with international standards for protection of freedom of expression and rising threats against journalists.

These developments raise issues that go to the heart of UNESCO’s mandate “to promote the flow of ideas by word and image” between all peoples, across the world. For UNESCO, freedom of expression is a fundamental human right that underpins all other civil liberties, that is vital for the rule of law and good governance, and that is a foundation for inclusive and open societies. Freedom of expression stands at the heart of media freedom and the practice of journalism as a form of expression aspiring to be in the public interest.

At the 36^th session of the General Conference (November 2011), Member States mandated UNESCO to explore the impact of change on press freedom and the safety of journalists. For this purpose, the Report has adopted four angles of analysis, drawing on the 1991 Windhoek Declaration, to review emerging trends through the conditions of media freedom, pluralism and independence, as well as the safety of journalists. At each level, the Report has also examined trends through the lens of gender equality.

The result is the portrait of change -- across the world, at all levels, featuring as much opportunity as challenge. The business of media is undergoing a revolution with the rise of digital networks, online platforms, internet intermediaries and social media. New actors are emerging, including citizen journalists, who are redrawing the boundaries of the media. At the same time, the Report shows that the traditional news institutions continue to be agenda-setters for media and public communications in general – even as they are also engaging with the digital revolution. The Report highlights also the mix of old and new challenges to media freedom, including increasing cases of threats against the safety of journalists.

The pace of change raises questions about how to foster freedom of expression across print, broadcast and internet media and how to ensure the safety of journalists. The Report draws on a rich array of research and is not prescriptive -- but it sends a clear message on the importance of freedom of expression and press freedom on all platforms.

To these ends, UNESCO is working across the board, across the world. This starts with global awareness raising and advocacy, including through World Press Freedom Day. It entails supporting countries in strengthening their legal and regulatory frameworks and in building capacity. It means standing up to call for justice every time a journalist is killed, to eliminate impunity. This is the importance of the United Nations Plan of Action on the Safety of Journalists and the Issue of Impunity, spearheaded by UNESCO and endorsed by the UN Chief Executives Board in April 2012. UNESCO is working with countries to take this plan forward on the ground. We also seek to better understand the challenges that are arising – most recently, through a Global Survey on Violence against Female Journalists, with the International News Safety Institute, the International Women’s Media Foundation, and the Austrian Government.

Respecting freedom of expression and media freedom is essential today, as we seek to build inclusive, knowledge societies and a more just and peaceful century ahead. I am confident that this Report will find a wide audience, in Member States, international and regional organizations, civil society and academia, as well as with the media and journalists, and I wish to thank Sweden for its support to this initiative. This is an important contribution to understanding a world in change, at a time when the international community is defining a new global sustainable development agenda, which must be underpinned and driven by human rights, with particular attention to freedom of expression.

Executive Summary

Freedom of expression in general, and media development in particular, are core to UNESCO’s constitutional mandate to advance ‘the mutual knowledge and understanding of peoples, through all means of mass communication’ and promoting ‘the free flow of ideas by word and image.’ For UNESCO, press freedom is a corollary of the general right to freedom of expression. Since 1991, the year of the seminal Windhoek Declaration, which was endorsed by the UN General Assembly, UNESCO has understood press freedom as designating the conditions of media freedom, pluralism and independence, as well as the safety of journalists.  It is within this framework that this report examines progress as regards press freedom, including in regard to gender equality, and makes sense of the evolution of media actors, news media institutions and journalistic roles over time.

This report has been prepared on the basis of a summary report on the global state of press freedom and the safety of journalists, presented to the General Conference of UNESCO Member States in November 2013, on the mandate of the decision by Member States taken at the 36th session of the General Conference of the Organization.[*]

The overarching global trend with respect to media freedom, pluralism, independence and the safety of journalists over the past several years is that of disruption and change brought on by technology, and to a lesser extent, the global financial crisis. These trends have impacted traditional economic and organizational structures in the news media, legal and regulatory frameworks, journalism practices, and media consumption and production habits. Technological convergence has expanded the number of and access to media platforms as well as the potential for expression. It has enabled the emergence of citizen journalism and spaces for independent media, while at the same time fundamentally reconfiguring journalistic practices and the business of news.

The broad global patterns identified in this report are accompanied by extensive unevenness within the whole.  The trends summarized above, therefore, go hand in hand with substantial variations between and within regions as well as countries.

Download the PDF

[*]. 37 C/INF.4 16 September 2013 “Information regarding the implementation of decisions of the governing bodies”. http://unesdoc.unesco.org/images/0022/002230/223097e.pdf; http://unesdoc.unesco.org/images/0022/002230/223097f.pdf

The article by Subhashish Panigrahi was published by Odisha TV on February 9, 2016.

Because the Telecom Regulatory Authority of India (TRAI) has taken a historical step by banning differential pricing without discriminating services. In their notes TRAI has explained, “In India, given that a majority of the population are yet to be connected to the internet, allowing service providers to define the nature of access would be equivalent of letting TSPs shape the users’ internet experience.” Not just that, violation of this ban would cost Rs. 50,000 every day.

Facebook planned to launch Free Basics in India by making a few websites – mostly partners with Facebook—available for free. The company not just advertised aggressively on bill boards and commercials across the nation, it also embedded a campaign inside Facebook asking users to vote in support of Free Basics. TRAI criticized Facebook’s attempt to manipulate public opinion. Facebook was also heavily challenged by many policy and internet advocates including non-profits like Free Software Movement of India and Savetheinternet.in campaign. The two collectives strongly discouraged Free Basics by moulding public opinion against it with Savetheinternet.in alone used to send over 2.4 million emails to TRAI to disallow Free Basics. Furthermore, 500 Indian start-ups, including major names like Cleartrip, Zomato, Practo, Paytm and Cleartax, also wrote to India’s Prime Minister Narendra Modi requesting continued support for Net Neutrality – a concept that advocates equal treatment of websites – on Republic Day. Stand-up comedians like Abish Mathew and groups like All India Bakchod and East India Comedy created humorous but informative videos explaining the regulatory debate and supporting net neutrality. Both went viral.

Technology critic and Quartz writer Alice Truong reacted to Free Basics saying; “Zuckerberg almost portrays net neutrality as a first-world problem that doesn’t apply to India because having some service is better than no service.”

The decision of the Indian government has been largely welcomed in the country and outside. In support of the move, Web We Want programme manager at the World Wide Web Foundation Renata Avila has said; “As the country with the second largest number of Internet users worldwide, this decision will resonate around the world. It follows a precedent set by Chile, the United States, and others which have adopted similar net neutrality safeguards. The message is clear: We can’t create a two-tier Internet – one for the haves, and one for the have-nots. We must connect everyone to the full potential of the open Web.”

There are mixed responses on the social media, both in support and in opposition to the TRAI decision. Josh Levy, Advocacy Director at Accessnow, has appreciated saying, “India is now the global leader on #NetNeutrality. New rules are stronger than those in EU and US.”

Had differential pricing been allowed, it would have affected start-ups and content-based smaller companies adversely as they could never have managed to pay the high price to a partner service provider to make their service available for free. On the other hand, tech-giants like Facebook could have easily managed to capture the entire market. Since the inception, the Facebook-run non-profit Internet.org has run into a lot of controversies because of the hidden motive behind the claimed support for social cause.

The article was published by Global Voices on February 9, 2016

In short, this means that Internet access in India will remain an open field, where users should be guaranteed equal access to any website they want to visit, regardless of how they connect to the Internet.

In their ruling, Telecommunication Regulatory Authority of India (TRAI) commented:

In India, given that a majority of the population are yet to be connected to the internet, allowing service providers to define the nature of access would be equivalent of letting TSPs shape the users’ internet experience.

#TRAIFreesInternet | Key take aways from TRAI’s ruling on Net Neutrality pic.twitter.com/xlFsLb3bZ6

— CNN-IBN News (@ibnlive) February 8, 2016

The decision of the Indian government has been welcomed largely in the country and outside. In support of the move, the World Wide Web Foundation's Renata Avila, also a Global Voices community member, wrote:

As the country with the second largest number of Internet users worldwide, this decision will resonate around the world. It follows a precedent set by Chile, the United States, and others which have adopted similar net neutrality safeguards. The message is clear: We can’t create a two-tier Internet – one for the haves, and one for the have-nots. We must connect everyone to the full potential of the open Web.

A blow for Facebook's “Free Basics”

While the new rules should long outlast this moment in India's Internet history, the ruling should immediately force Facebook to cancel the local deployment of “Free Basics”, a smart phone application that offers free access to Facebook, Facebook-owned products like WhatsApp, and a select suite of other websites for users who do not pay for mobile data plans.

Facebook's efforts to deploy and promote Free Basics as what they described as a remedy to India's lack of “digital equality” has encountered significant backlash. Last December, technology critic and Quartz writer Alice Truong reacted to Free Basics saying:

Zuckerberg almost portrays net neutrality as a first-world problem that doesn’t apply to India because having some service is better than no service.”

When TRAI solicited public comments on the matter of differential pricing, Facebook responded with an aggressive advertising campaign on bill boards and in television commercials across the nation. It also embedded a campaign inside Facebook, asking users to write to TRAI in support of Free Basics.

TRAI criticized Facebook for what it seemed to regard as manipulation of the public. Facebook was also heavily challenged by many policy and open Internet advocates including non-profits like the Free Software Movement of India and the Savetheinternet.in campaign. The latter two collectives strongly discouraged Free Basics by bringing public opinion where Savetheinternet.in alone facilitated a campaign in which citizens sent over 2.4 million emails to TRAI urging the agency to put a stop to differential pricing.

Alongside these efforts, 500 Indian startups including major ones like Cleartrip, Zomato, Practo, Paytm and Cleartax also wrote to India's prime minister Narendra Modi requesting continued support for net neutrality—on the Indian Republic Day January 26.

Stand-up comedians like Abish Mathew and groups like All India Bakchod and East India Comedy created humorous and informative videos explaining the regulatory debate and supporting net neutrality which went viral.

Had differential pricing been officially legalized, it would have adversely affected startups and content-based smaller companies, who most likely could never manage to pay higher prices to partner with service providers to make their service available for free. This would have paved the way for tech-giants like Facebook to capture the entire market. And this would be no small gain for a company like Facebook: India represents the world's largest market of Internet users after the US and China, where Facebook remains blocked.

The Internet responds

There have been mixed responses on social media, both supporting and opposing. Among open Internet advocates both in India and the US, the response was celebratory:

This order shows the power of citizen involvement in policymaking. Policymakers are forced to listen if citizens engage. #NetNeutrality

— Pranesh Prakash (@pranesh) February 8, 2016

I think this is not just a good day for the Internet in India. It's a good day for the Internet everywhere #TRAI #savetheinternet

— Anja Kovacs (@anjakovacs) February 8, 2016

India is now the global leader on #NetNeutrality. New rules are stronger than those in EU and US. https://t.co/D6g68k2xaI

— Josh Levy (@levjoy) February 8, 2016

There are also those like Panuganti Rajkiran who opposed the ruling:

A terrible decision.. The worst part here is the haves deciding for the have nots what they can have and what they cannot.

When you buy a car, it's fulfilment of aspiration. After that, the next guy who buys a car is just traffic. Let's regulate. #NetNeutrality

— Ramesh Srivats (@rameshsrivats) February 8, 2016

Soumya Manikkath says:

So all is not lost in the world, for the next two years at least. Do come back with a better plan, dear Facebook, and we'll rethink, of course.

The ruling leaves an open pathway for companies to offer consumers free access to the Internet, provided that this access is truly open and does not limit one's ability to browse any site of her choosing.

Bangalore-based Internet policy expert Pranesh Prakash noted that this work must continue until India is truly — and equally — connected:

The pro-#NetNeutrality campaign shouldn't rest until every poor family in India has full and free access to the Internet. #ZeroRating

— Pranesh Prakash (@pranesh) February 8, 2016

The Centre for Internet and Society (CIS) is a non-governmental organization which undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives.

In the course of its work CIS has also extensively researched and witten about the Aadhaar Scheme of the Government of India, specially from a privacy and technical point of view. CIS was part of the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee and was instrumental in drafting a major part of the report of the Group. In this background CIS would like to mention that it is neither an expert on banking policy in general nor wishes to comment upon the purely banking related recommendations of the Committee. We would like to limit our recommendations to the areas in which we have some expertise and would therefore be commenting only on certain Recommendations of the Committee.

Before giving our individual comments on the relevant recommendations, CIS would like to make one broad comment with regard to the suggestions dealing with linking of Aadhaar numbers with bank accounts. Aadhaar is increasingly being used by the government in various departments as a means to prevent fraud, however there is a serious dearth of evidence to suggest that Aadhaar linkage actually prevents leakages in government schemes. The same argument would be applicable when Aadhaar numbers are sought to be utilized to prevent leakages in the banking sector.

Another problem with linking bank accounts with Aadhaar numbers, even if it is not mandatory, is that when the RBI issues an advisory to (optionally) link Aadhaar numbers with bank accounts, a number of banks may implement the advisory too strictly and refuse service to customers (especially marginal customers) whose bank accounts are not linked to their Aadhaar numbers, perhaps due to technical problems in the registration procedure, thereby denying those individuals access to the banking sector, which is contrary to the aims and objectives of the Committee and the stated policy of the RBI to improve access to banking.

Individual Comments

Recommendation 1.4 - Given the predominance of individual account holdings, the Committee recommends that a unique biometric identifier such as Aadhaar should be linked to each individual credit account and the information shared with credit information companies. This will not only be useful in identifying multiple accounts, but will also help in mitigating the overall indebtedness of individuals who are often lured into multiple borrowings without being aware of its consequences.

CIS Comment: The discussion of the committee before making this recommendation revolves around the total incidence of indebtedness in rural areas and their Debt-to-Asset ratio representing payment capacity. However, the committee has not discussed any evidence which indicates that borrowing from multiple banks leads to greater indebtedness for individual account holders in the rural sector. Without identifying the problem through evidence the Committee has suggested linking bank accounts with Aadhaar numbers as a solution.

Recommendation 2.2 - On the basis of cross-country evidence and our own experience, the Committee is of the view that to translate financial access into enhanced convenience and usage, there is a need for better utilization of the mobile banking facility and the maximum possible G2P payments, which would necessitate greater engagement by the government in the financial inclusion drive.

CIS Comment: The drafting of the recommendation suggests that RBI is batting for the DBT rather than the subsidy model. However an examination of the discussion in the report suggests that all that the Committee has not discussed or examined the subsidy model vis-à-vis the direct benefit transfer (DBT) model here (though it does recommend DBT in the chapter on G-2-P payments), but only is trying to say is that where government to people money transfer has to take place, it should take place using mobile banking, payment wallets or other such technologies, which have been known to be successful in various countries across the world.

Recommendation 3.1 - The Committee recommends that in order to increase formal credit supply to all agrarian segments, the digitization of land records should be taken up by the states on a priority basis.

Recommendation 3.2 - In order to ensure actual credit supply to the agricultural sector, the Committee recommends the introduction of Aadhaar-linked mechanism for Credit Eligibility Certificates. For example, in Andhra Pradesh, the revenue authorities issue Credit Eligibility Certificates to Tenant Farmers (under ‘Andhra Pradesh Land Licensed Cultivators Act No 18 of 2011'). Such tenancy /lease certificates, while protecting the owner’s rights, would enable landless cultivators to obtain loans. The Reserve Bank may accordingly modify its regulatory guidelines to banks to directly lend to tenants / lessees against such credit eligibility certificates.

CIS Comment: The Committee in its discussion before the recommendation 3.2 has discussed the problems faced by landless farmers, however there is no discussion or evidence which suggests that an Aadhaar linked Credit Eligibility Certificate is the best solution, or even a solution to the problem. The concern being expressed here is not with the system of a Credit Eligibility Certificate, but with the insistence on linking it to an Aadhaar number, and whether the system can be put in place without linking the same to an Aadhaar number.

Recommendation 6.11 - Keeping in view the indebtedness and rising delinquency, the Committee is of the view that the credit history of all SHG members would need to be created, linking it to individual Aadhaar numbers. This will ensure credit discipline and will also provide comfort to banks.

CIS Comment: There is no discussion in the Report on the reasons for increase in indebtedness of SHGs. While the recommendation of creating credit histories for SHGs is laudable and very welcome, however there is no logical reason that has been brought out in the Report as to why the same needs to be linked to individual Aadhaar numbers and how such linkage will solve any problems.

Recommendation 6.13 - The Committee recommends that bank credit to MFIs should be encouraged. The MFIs must provide credit information on their borrowers to credit bureaus through Aadhaar-linked unique identification of individual borrowers.

CIS Comment: Since the discussion before this recommendation clearly indicates multiple lending practices as one of the problems in the Microfinance sector and also suggests better credit information of borrowers as a possible solution, therefore this recommendation per se, seems sound. However, we would still like to point out that the RBI may think of alternative means to get borrower credit history rather than relying upon just the Aadhaar numbers.

Recommendation 7.3 - Considering the widespread availability of mobile phones across the country, the Committee recommends the use of application-based mobiles as PoS for creating necessary infrastructure to support the large number of new accounts and cards issued under the PMJDY. Initially, the FIF can be used to subsidize the associated costs. This will also help to address the issue of low availability of PoS compared to the number of merchant outlets in the country. Banks should encourage merchants across geographies to adopt such applicationbased mobile as a PoS through some focused education and PoS deployment drives.

Recommendation 7.5 - The Committee recommends that the National Payments Corporation of India (NPCI) should ensure faster development of a multi-lingual mobile application for customers who use non-smart phones, especially for users of NUUP; this will address the issue of linguistic diversity and thereby promote its popularization and quick adoption.

Recommendation 7.8 - The Committee recommends that pre-paid payment instrument (PPI) interoperability may be allowed for non-banks to facilitate ease of access to customers and promote wider spread of PPIs across the country. It should however require non-bank PPI operators to enhance their customer grievance redressal mechanism to deal with any issues thereof.

Recommendation 7.9 - The Committee is of the view that for non-bank PPIs, a small-value cashout may be permitted to incentivize usage with the necessary safeguards including adequate KYC and velocity checks.

CIS Comments: While CIS supports the effort to use technology and mobile phones to increase banking penetration and improve access to the formal financial sector for rural and semi-rural areas, sufficient security mechanisms should be put in place while rolling out these services keeping in mind the low levels of education and technical sophistication that are prevalent in rural and semi-rural areas.

Recommendation 8.1 - The Committee recommends that the deposit accounts of beneficiaries of government social payments, preferably all deposits accounts across banks, including the ‘inprinciple’ licensed payments banks and small finance banks, be seeded with Aadhaar in a timebound manner so as to create the necessary eco-system for cash transfer. This could be complemented with the necessary changes in the business correspondent (BC) system (see Chapter 6 for details) and increased adoption of mobile wallets to bridge the ‘last mile’ of service delivery in a cost-efficient manner at the convenience of the common person. This would also result in significant cost reductions for the government besides promoting financial inclusion.

CIS Comment: While the report of the Committee has already given several examples of how cash transfer directly into the bank accounts (rather than requiring the beneficiaries to be at a particular place at a particular time) could be more efficient as well as economical, the Committee is making the same point again here under the chapter that deals specifically with government to person payments. However even before this recommendation, there has been no discussion as to the need for linking or “seeding” the deposit accounts of the beneficiaries with Aadhaar numbers, let alone a discussion of how it would solve any problems.

Recommendation 10.6 - Given the focus on technology and the increasing number of customer complaints relating to debit/credit cards, the National Payments Corporation of India (NPCI) may be invited to SLBC meetings. They may particularly take up issues of Aadhaar-linkage in bank and payment accounts.

CIS Comment: There is no discussion on why this recommendation has been made, more particularly; there is no discussion at all on why issues of Aadhaar linkage in bank and payment accounts need to be taken up at all.

Click here to download the full file

Globally, the pace of urbanization is increasing exponentially. The world’s urban population is projected to rise from 3.6 billion to 6.3 billion between 2011 and 2050. A solution for the same has been development of sustainable cities by improving efficiency and integrating infrastructure and services [1]. It has been estimated that during the next 20 years, 30 Indians will leave rural India for urban areas every minute, necessitating smart and sustainable cities to accommodate them [2]. The Smart Cities Mission of the Ministry of Urban Development was announced in the year 2014, followed by selection of 100 cities in the year 2015 and 20 of them being selected for the first Phase of the project in the year 2016. The Mission [3] lists the “core infrastructural elements” that a smart city would incorporate like adequate water supply, assured electricity, sanitation, efficient public transport, affordable housing (especially for the poor), robust IT connectivity and digitisation, e-governance and citizen participation, sustainable environment, safety and security for citizens, health and education.

With a paradigm shift towards the concept of “Smart Cities’ globally, as well as India, such cities have been defined by several international standardization bodies and countries, however, there is no uniform definition adopted globally. The envisioned modern and smart city promises delivery of high quality services to the citizens and will harness data capture and communication management technologies. The performance of such cities would be monitored on the basis of physical as well as the social structure comprising of smart approaches and solution to utilities and transport.

The glue that allows infrastructures to link and operate efficiently is standards as they make technologies interoperable and efficient. Interoperability is essential and to ensure smart integration of various systems in a smart city, internationally agreed standards that include technical specifications and classifications must be adhered to. Development of international standards ensure seamless interaction between components from different suppliers and technologies [4].

Standardized indicators within standards benefit smart cities in the following ways:

1. Effective governance and efficient delivery of services.
2. International and Local targets, benchmarking and planning.
3. Informed decision making and policy formulation.
4. Leverage for funding and recognition in international entities.
5. Transparency and open data for investment attractiveness.
6. A reliable foundation for use of big data and the information explosion to assist cities in building core knowledge for city decision-making, and enable comparative insight.

The adoption of standards for smart cities has been advocated across the world as they are perceived to be an effective tool to foster development of the cities. The Director of the ITU Telecommunication Standardization Bureau Chaesub Lee is of the view that “Smart cities will employ an abundance of technologies in the family of the Internet of Things (IoT) and standards will assist the harmonized implementation of IoT data and applications , contributing to effective horizontal integration of a city’s subsystems” [5].

Smart Cities standards in India

National Association of Software and Services Companies (NASSCOM) partnered with Accenture [6] to prepare a report called ‘Integrated ICT and Geospatial Technologies Framework for 100 Smart Cities Mission’ [7] to explore the role of ICT in developing smart cities [8], after the announcement of the Mission by Indian Government. The report, released in May 2015, lists down 55 global standards, keeping in view several city sub-systems like urban planning, transport, governance, energy, climate and pollution management, etc which could be applicable to the smart cities in India.

Though NASSCOM is working closely with the Ministry of Urban Development to create a sustainable model for smart cities [9], due to lack of regulatory standards for smart cities, the Bureau of Indian Standards (BIS) in India has undertaken the task to formulate standardised guidelines for central and state authorities in planning, design and construction of smart cities by setting up a technical committee under the Civil engineering department of the Bureau. However, adoption of the standards by implementing agencies would be voluntary and intends to complement internationally available documents in this area [10].

Developing national standards in line with these international standards would enable interoperability (i.e. devices and systems working together) and provide a roadmap to address key issues like data protection, privacy and other inherent risks in the digital delivery and use of public services in the envisioned smart cities, which call for comprehensive data management standards in India to instill public confidence and trust [11].

Key International Smart Cities Standards

Following are the key internationally accepted and recognized Smart Cities standards developed by leading organisations and the national standardization bodies of several countries that India could adopt or develop national standards in line with these.

The International Organization for Standardization (ISO) - Smart Cities Standards

ISO is an instrumental body advocating and developing for smart cities to safeguard rights of the people against a liveable and sustainable environment. The ISO Smart Cities Strategic Advisory Group uses the following working definition: A ‘Smart City’ is one that dramatically increases the pace at which it improves its social, economic and environmental (sustainability) outcomes, responding to challenges such as climate change, rapid population growth, and political and economic instability by fundamentally improving how it engages society, how it applies collaborative leadership methods, how it works across disciplines and city systems, and how it uses data information and modern technologies in order to transform services and quality of life for those in and involved with the city (residents, businesses, visitors), now and for the foreseeable future, without unfair disadvantage of others or degradation of the natural environment. [For details see ISO/TMB Smart Cities Strategic Advisory Group Final Report, September 2015 ( ISO Definition, June 2015)].

The ISO Technical Committee 268 works on standardization in the field of Sustainable Development in Communities [12] to encourage the development and implementation of holistic, cross-sector and area-based approaches to sustainable development in communities. The Committee comprises of 3 Working Groups [13]:

• Working Group 1: System Management ISO 37101- This standard sets requirements, guidance and supporting techniques for sustainable development in communities. It is designed to help all kinds of communities manage their sustainability, smartness and resilience to improve the contribution of communities to sustainable development and assess their performance in this area [14].
• Working Group  2 : City Indicators- The key Smart Cities Standards developed by ISO TC 268 WG 2 (City Indicators) are:

ISO 37120 Sustainable Development of Communities — Indicators for City Services and Quality of Life

One of the key standards and an important step in this regard was ISO 37120:2014 under the ISO’s Technical Committee 268 (See Working on Standardization in the field of Sustainable Development in Communities) providing clearly defined city performance indicators (divided into core and supporting indicators) as a benchmark for city services and quality of life, along with a standard approach for measuring each for city leaders and citizens [15]. The standard is global in scope and can help cities prioritize city budgets, improve operational transparency, support open data and applications [16]. It follows the principles [17] set out and can be used in conjunction with ISO 37101.

ISO 37120 was the first ISO Standard on Global City Indicators published in the year 2014, developed on the basis of a set of indicators developed and extensively tested by the Global City Indicators Facility (a project by University of Toronto) and its 250+ member cities globally. GCIF is committed to build standardized city indicators for performance management including a database of comparable statistics that allow cities to track their effectiveness on everything from planning and economic growth to transportation, safety and education [18].

The World Council on City Data (WCCD) [19] - a sister organization of the GCI/GCIF - was established in the year 2014 to operationalize ISO 37120 across cities globally. The standards encompasses 100 indicators developed around 17 themes to support city services and quality of life, and is accessible through the WCCD Open City Data Portal which allows for cutting-edge visualizations and comparisons. Indian cities are not yet listed with WCCD [20].

The indicators are listed under the following heads [21]:

1. Economy
2. Education
3. Environment
4. Energy
5. Finance
6. Fire and Emergency Responses
7. Governance
8. Health
9. Safety
10. Shelter
11. Recreation
12. Solid Waste
13. Telecommunication and innovation
14. Transportation
15. Urban Planning
16. Waste water
17. Water and Sanitation

This International Standard is applicable to any city, municipality or local government that undertakes to measure its performance in a comparable and verifiable manner, irrespective of size and location or level of development. City indicators have the potential to be used as critical tools for city managers, politicians, researchers, business leaders, planners, designers and other professionals [22]. The WCCD forum highlights need for cities to have a set of globally standardized indicators to [23]:

1. Manage and make informed decisions through data analysis
2. Benchmark and target
3. Leverage Funding with senior levels of government
4. Plan and establish new frameworks for sustainable urban development
5. Evaluate the impact of infrastructure projects on the overall performance of a city.

ISO/DTR 37121- Inventory and Review of Existing Indicators on Sustainable Development and Resilience in Cities

The second standard under ISO TC 268 WG 2 is ISO 37121, which defines additional indicators related to sustainable development and resilience in cities. Some of the indicators include: Smart Cities, Smart Grid, Economic Resilience, Green Buildings, Political Resilience, Protection of biodiversity, etc. The complete list can be viewed on the Resilient Cities website [24].

Working Group 3: Terminology - There are no publicly available documents so far, giving details about the status of the activities of this group. The ISO Technical Committee 268 also includes Sub Committee 1 (Smart Community Infrastructure) [25], comprising of the following Working Groups: 1) WG 1 Infrastructure metrics, and 2) WG 2 Smart Community Infrastructure.

The key Smart Cities Standards developed by ISO under this are:

• ISO 37151:2015 Smart community infrastructures — Principles and Requirements for Performance Metrics
  In the year 2015, a new ISO technical specification for smart cities- 37151:2015 for Principles and requirements for performance metrics was released.  The purpose of standardization in the field of smart community infrastructures such as energy, water, transportation, waste, information and communications technology (ICT), etc. is to promote the international trade of community infrastructure products and services and improve sustainability in communities by establishing harmonized product standards [26]. The metrics in this standard will support city and community managers in planning and measuring performance, and also compare and select procurement proposals for products and services geared at improving community infrastructures [27].
  This Technical Specification gives principles and specifies requirements for the definition,identification, optimization, and harmonization of community infrastructure performance metrics, and gives recommendations for analysis, regarding interoperability, safety, security of community infrastructures [28]. This new Technical Specification supports the use of the ISO 37120 [29].

• ISO/TR 37150:2014 Smart Community Infrastructures - Review of Existing Activities Relevant to Metrics
  This standard addresses community infrastructures such as energy, water, transportation, waste and information and communications technology (ICT). Smart community infrastructures take into consideration environmental impact, economic efficiency and quality of life by using information and communications technology (ICT) and renewable energies to achieve integrated management and optimized control of infrastructures. Integrating smart community infrastructures for a community helps improve the lifestyles of its citizens by, for example: reducing costs, increasing mobility and accessibility, and reducing environmental pollutants.
  ISO/TR 37150 reviews relevant metrics for smart community infrastructures and provides stakeholders with a better understanding of the smart community infrastructures available around the world to help promote international trade of community infrastructure products and give information about leading-edge technologies to improve sustainability in communities [30]. This standard, along with the above mentioned standards [31] supports the multi-billion dollar smart cities technology industry.

Several other ISO Working Groups developing standards applicable to smart and sustainable cities have been listed in our website [32].

The International Telecommunications Union (ITU)

The ITU is another global body working on development of standards regarding smart cities.

A study group was formed in the year 2015 to tackle standardization requirements for the Internet of Things, with an initial focus on IoT applications in smart cities to address urban development challenges [33], to enable the coordinated development of IoT technologies, including machine-to-machine communications and ubiquitous sensor networks. The group is titled “ITU-T Study Group 20: IoT and its applications, including smart cities and communities”, established to develop standards that leverage IoT technologies to address urban-development challenges and the mechanisms for the interoperability of IoT applications and datasets employed by various vertically oriented industry sectors [34].

ITU-T also concluded a focused study group looking at smart sustainable cities in May 2015, acting as an open platform for smart city stakeholders to exchange knowledge in the interests of identifying the standardized frameworks needed to support the integration of ICT services in smart cities. Its parent group is ITU-T Study Group 5, which has  agreed on the following definition of a Smart Sustainable City:
"A smart sustainable city is an innovative city that uses information and communication technologies (ICTs) and other means to improve quality of life, efficiency of urban operation and services, and competitiveness, while ensuring that it meets the needs of present and future generations with respect to economic, social, environmental as well as cultural aspects".

UK - British Standards Institution

Apart from the global standards setting organisations, many countries have been looking at developing standards to address the growth of smart cities across the globe. In the UK, the British Standards Institution (BSI) has been commissioned by the UK Department of Business, Innovation and Skills (BIS) to conceive a Smart Cities Standards Strategy to identify vectors of smart city development where standards are needed. The standards would be developed through a consensus-driven process under the BSI to ensure good practise is shared between all the actors. The BIS launched the City's Standards Institute to bring together cities and key industry leaders and innovators to work together in identifying the challenges facing cities, providing solutions to common problems and defining the future of smart city standards [35].

• PAS 181 Smart city framework- Guide to establishing strategies for smart cities and communities establishes a good practice framework for city leaders to develop, agree and deliver smart city strategies that can help transform their city’s ability to meet challenges faced in the future and meet the goals. The smart city framework (SCF) does not intend to describe a one-size-fits-all model for the future of UK cities but focuses on the enabling processes by which the innovative use of technology and data, together with organizational change, can help deliver the diverse visions for future UK cities in more efficient, effective and sustainable ways [36].

• PD 8101 Smart cities- Guide to the role of the planning and development process gives guidance regarding planning for new development for smart city plans and provides an overview of the key issues to be considered and prioritized. The document is for use by local authority planning and regeneration officers to identify good practice in a UK context, and what tools they could use to implement this good practice. This aims to enable new developments to be built in a way that will support smart city aspirations at minimal cost [37].

• PAS 182 Smart city concept model. Guide to establishing a model for data establishes an interoperability framework and data-sharing between agencies for smart cities for the following purposes:

  1. To have a city where information can be shared and understood between organizations and people at each level
  2. The derivation of data in each layer can be linked back to data in the previous layer
  3. The impact of a decision can be observed back in operational data. The smart city concept model (SCCM) provides a framework that can normalize and classify information from many sources so that data sets can be discovered and combined to gain a better picture of the needs and behaviours of a city’s citizens (residents and businesses) to help identify issues and devise solutions. PAS 182 is aimed at organizations that provide services to communities in cities, and manage the resulting data, as well as decision-makers and policy developers in cities [38].

• PAS 180 Smart cities Vocabulary helps build a strong foundation for future standardization and good practices by providing an industry-agreed understanding of smart city terms and definitions to be used in the UK. It provides a working definition of a Smart City- “Smart Cities” is a term denoting the effective integration of physical, digital and human systems in the built environment to deliver a sustainable, prosperous and inclusive future for its citizens [39]. This aims to help improve communication and understanding of smart cities by providing a common language for developers, designers, manufacturers and clients. The standard also defines smart city concepts across different infrastructure and systems’ elements used across all service delivery channels and is intended for city authorities and planners, buyers of smart city services and solutions [40], as well as product and service providers.

Endnotes

[1] See: http://www.iec.ch/whitepaper/pdf/iecWP-smartcities-LR-en.pdf.

[2] See: http://www.ibm.com/smarterplanet/in/en/sustainable_cities/ideas/.

[3] See: http://www.thehindubusinessline.com/economy/smart-cities-mission-welcome-to-tomorrows-world/article8163690.ece.

[4] See: http://www.iec.ch/whitepaper/pdf/iecWP-smartcities-LR-en.pdf.

[5] See: http://www.iso.org/iso/news.htm?refid=Ref2042.

[6] See: http://www.livemint.com/Companies/5Twmf8dUutLsJceegZ7I9K/Nasscom-partners-Accenture-to-form-ICT-framework-for-smart-c.html.

[7] See: http://www.nasscom.in/integrated-ict-and-geospatial-technologies-framework-100-smart-cities-mission.

[8] See: http://www.cxotoday.com/story/nasscom-creates-framework-for-smart-cities-project/.

[9] See: http://www.livemint.com/Companies/5Twmf8dUutLsJceegZ7I9K/Nasscom-partners-Accenture-to-form-ICT-framework-for-smart-c.html.

[10] See: http://www.business-standard.com/article/economy-policy/in-a-first-bis-to-come-up-with-standards-for-smart-cities-115060400931_1.html.

[11] See: http://www.longfinance.net/groups7/viewdiscussion/72-financing-financing-tomorrow-s-cities-how-standards-can-support-the-development-of-smart-cities.html?groupid=3.

[12] See: http://www.iso.org/iso/iso_technical_committee?commid=656906.

[13] See: http://cityminded.org/wp-content/uploads/2014/11/Patricia_McCarney_PDF.pdf.

[14] See: http://www.iso.org/iso/news.htm?refid=Ref1877.

[15] See: http://smartcitiescouncil.com/article/new-iso-standard-gives-cities-common-performance-yardstick.

[16] See: http://smartcitiescouncil.com/article/dissecting-iso-37120-why-new-smart-city-standard-good-news-cities.

[17] See: http://www.iso.org/iso/catalogue_detail?csnumber=62436.

[18] See: http://www.cityindicators.org/.

[19] See: http://www.dataforcities.org/.

[20] See: http://news.dataforcities.org/2015/12/world-council-on-city-data-and-hatch.html.

[21] See: http://news.dataforcities.org/2015/12/world-council-on-city-data-and-hatch.html.

[22] See: http://www.iso.org/iso/37120_briefing_note.pdf.

[23] See: http://www.dataforcities.org/wccd/.

[24] See: http://resilient-cities.iclei.org/fileadmin/sites/resilient-cities/files/Webinar_Series/HERNANDEZ_-_ICLEI_Resilient_Cities_Webinar__FINAL_.pdf.

[25] See: http://www.iso.org/iso/iso_technical_committee?commid=656967.

[26] See: https://www.iso.org/obp/ui/#iso:std:iso:ts:37151:ed-1:v1:en.

[27] See: http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref2001&utm_medium=email&utm_campaign=ISO+Newsletter+November&utm_content=ISO+Newsletter+November+CID_4182720c31ca2e71fa93d7c1f1e66e2f&utm_source=Email%20marketing%20software&utm_term=Read%20more.

[28] See: http://www.iso.org/iso/37120_briefing_note.pdf.

[29] See: http://standardsforum.com/isots-37151-smart-cities-metrics/.

[30] See: http://www.iso.org/iso/executive_summary_iso_37150.pdf.

[31] See: http://standardsforum.com/isots-37151-smart-cities-metrics/.

[32] See: http://cis-india.org/internet-governance/blog/database-on-big-data-and-smart-cities-international-standards.

[33] See: http://smartcitiescouncil.com/article/itu-takes-internet-things-standards-smart-cities.

[34] See: https://www.itu.int/net/pressoffice/press_releases/2015/22.aspx.

[35] See: http://www.bsigroup.com/en-GB/smart-cities/.

[36] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-181-smart-cities-framework/.

[37] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PD-8101-smart-cities-planning-guidelines/.

[38] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-182-smart-cities-data-concept-model/.

[39] See: http://www.iso.org/iso/smart_cities_report-jtc1.pdf.

[40] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-180-smart-cities-terminology/.

The article was published in Economic & Political Weekly, Journal » Vol. 51, Issue No. 9, 27 Feb, 2016.

A legal challenge is being mounted in the Supreme Court, currently, to the programme of biometric identification that the Unique Identification Authority of India (UIDAI) is engaged upon: an identification preliminary and a requisite to providing citizens with “Aadhaar numbers” that can serve them as “unique identifiers” in their transactions with the state. What follows will recount an assessment of their chances of success. We shall be using data that was available to the UIDAI and shall employ only elementary ways of calculation. It should be recorded immediately that an earlier technical paper by the author (Mathews 2013) has been of some use to the plaintiffs, and reference will be made to that in due course.

The Aadhaar numbers themselves may or may not derive, in some way, from the biometrics in question; the question is not material here. For our purposes a biometric is a numerical representation of some organic feature: like the iris or the retina, for instance, or the inside of a finger, or the hand taken whole even. We shall consider them in some more detail later. The UIDAI is using fingerprints and iris images to generate a combination of biometrics for each individual. This paper bears on the accuracy of the composite biometric identifier. How well those composites will distinguish between individuals can be assessed, actually, using the results of an experiment conducted by the UIDAI itself in the very early stages of its operation; and our contention is that, from those results themselves, the UIDAI should have been able to estimate how many individuals would have their biometric identifiers matching those of some other person, under the best of circumstances even, when any good part of population has been identified.

Read the full article here.

The author thanks Nico Temme of the Centrum Wiskunde & Informatica in The Netherlands for the bounds he derived on the chance of a false positive. He is particularly grateful to the anonymous referee of this journal who, through two rounds of comment, has very much improved the presentation of the results. A technical supplement to this paper is placed on the EPW website along with this paper.

The article was published by The Wire on March 10, 2016

In December, 2010, the UPA Government introduced the National Identification Authority of India Bill, 2010 in the Parliament. It was subsequently referred to a Standing Committee on Finance by the Speaker of Lok Sabha under Rule 331E of the the Rules of Procedure and Conduct of Business in Lok Sabha. This Committee, headed by BJP leader Yashwant Sinha took evidence from the Minister of Planning and the UIDAI from the government, as well as seeking the view of parties such as the National Human Rights Commission, Indian Banks Association and researchers like Dr Reetika Khera and Dr. Usha Ramanathan. In 2011, having heard from various parties and considering the concerns and apprehensions about the UID scheme, the Committee deemed the bill unacceptable and suggested a re-consideration of the the UID scheme as well as the draft legislation.

The Aadhaar programme has so far been implemented under the Unique Identification Authority of India, a Central Government agency created through an executive order. This programme has been shrouded in controversy over issues of privacy and security resulting in a Public Interest Litigation filed by Judge Puttaswamy in the Supreme Court. While the BJP had criticised the project as well as the draft legislation  when it was in opposition, once it came to power and particularly, after it launched various welfare schemes like Digital India and Jan Dhan Yojna, it decided to continue with it and use Aadhaar as the identification technology for these projects. In the last year, there have been orders passed by the Supreme Court which prohibited making Aadhaar mandatory for availing services. One of the questions that the government has had to answer both inside and outside the court on the UID project is the lack of a legislative mandate for a project of this size. About five years later, the new BJP led government has come back with a rehash of the same old draft, and no comments made by the standing committee have been taken into account.

The Standing Committee on the old bill had taken great exception to the continued collection of data and issuance of Aadhaar numbers, while the Bill was pending in the Parliament. The report said that the implementation of the provisions of the Bill and continuing to incur expenditure from the exchequer was a circumvention of the prerogative powers of the Parliament. However, the project has continued without abeyance since its inception in 2009. I am listing below some of the issues that the Committee identified with the UID project and draft legislation, none of which have been addressed in current Bill.

One of the primary arguments made by proponents of Aadhaar has been that it would be useful in providing services to marginalized sections of the society who currently do not have identification cards and consequently, are not able to receive state sponsored services, benefits and subsidies. The report points that the project would not be able to achieve this as no statistical data on the marginalized sections of the society are being used to by UIDAI to provide coverage to them. The introducer systems which was supposed to provide Aadhaar numbers to those without any form of identification, has been used to enroll only 0.03% of the total number of people registered. Further, the Biometrics Standards Committee of UIDAI has itself acknowledged the issues caused due to a high number of manual laborers in India which would lead to sub-optimal fingerprint scans. A report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. In this manner, the project could actually end up excluding more people.

The Report also pointed to a lack of cost-benefit analysis done before going ahead with scheme of this scale. It makes a reference to the report by the London School of Economics on the UK Identity Project which was shelved due to a) huge costs involved in the project, b) the complexity of the exercise and unavailability of reliable, safe and tested technology, c) risks to security and safety of registrants, d) security measures at a scale that will result in substantially higher implementation and operational costs and e) extreme dangers to rights of registrants and public interest. The Committee Report insisted that such global experiences remained relevant to the UID project and need to be considered. However, the new Bill has not been drafted with a view to address any of these issues.

The Committee comes down heavily on the irregularities in data collection by the UIDAI. They raise doubts about the ability of the Registrars to effectively verify the registrants and a lack of any security audit mechanisms that could identify issues in enrollment. Pointing to the news reports about irregularities in the process being followed by the Registrars appointed by the UIDAI, the Committee deems the MoUs signed between the UIDAI and the Registrars as toothless. The involvement of private parties has been under question already with many questions being raised over the lack of appropriate safeguards in the contracts with the private contractors.

• Title

2010 Bill: The Bill was titled as the National Identification Authority of India Bill, 2010.

2016 Bill : The Bill has been titled as the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

• Purpose/Object Clause

2010 Bill: The purpose of Bill was stated to provide for the establishment of the National Identification Authority of India to issue identification numbers to residents of India as well as certain other classes of individuals , to facilitate access to benefits and services, to which they are entitled.

2016 Bill : The purpose of this Bill has been stated to ensure targeted delivery of subsidies, benefits and services to residents of India in an efficient and transparent manner by assigning unique identity numbers to such individuals.

• Definitions

1. 2010 Bill: “Authentication” was defined as the process in which the Aadhaar number, along with other attributes (including biometrics) are submitted to the Central Identities Data Repository for verification, done on the basis of information, data or documents available with the Repository.

   2016 Bill : “Authentication” has been defined as the process by which the Aadhaar number, along with demographic or biometric information of an individual is submitted to the Central Identities Data Repository for the purpose of verification, done on the basis of the correctness of (or lack of) information available with it.

2. 2010 Bill: “Authentication Record” was not defined in the previous Bill.

   2016 Bill : “Authentication Record”  has been defined under clause 2(d)  as the record of the time of authentication, the identity of the entity requesting such record and the response provided by the Authority for this purpose. 

3. 2010 Bill: “Authority” was defined under clause 2(d) as National Identification Authority of India established under provisions of the Bill. 

       2016 Bill :“Authority” has been defined under clause 2(e) as Unique Identification Authority of India established under provisions of the Bill.

4. 2010 Bill: “Benefit” was not defined in the previous Bill.  

   2016 Bill : “Benefit” has been defined under clause 2(f) as any advantage, gift, reward, relief, or payment (either in cash or kind), or such other benefits, which is provided to an

individual/ a group of individuals as notified by the Central Government.

5. 2010 Bill: “Biometric Information” was defined under clause 2(e) as a set of biological attributes of an individual as may be specified by regulations.

   2016 Bill : “Biometric Information” has been defined under clause 2(g) as biological attributes of an individual like photograph, fingerprint, Iris scan, or other such biological

attributes as may be specified by regulations.

6. 2010 Bill: “Core Biometric Information” was not defined in the previous Bill.

   2016 Bill : “Core Biometric Information” has been defined under clause 2(j) as biological attribute of an individual like fingerprint, Iris scan, or such other biological attribute as

may be specified by regulations.

7. 2010 Bill: “Demographic Information” was defined under clause 2(h) as information specified in the regulations for the purpose of issuing an Aadhaar number, like information relating to the name, age, gender and address of an individual (other than race, religion, caste, tribe, ethnicity, language, income or health), and such other information.

   2016 Bill : “Demographic Information” has been defined under clause 2(k) as information of an individual as may be specified by regulations for the purpose of issuing an Aadhaar number like information relating to the name, date of birth, address and other relevant information, excluding race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history of an individual.

8. 2010 Bill: “Enrolling Agency” was defined under clause 2(i) as an agency appointed by the Authority or the Registrars for collecting information under the Act.

   2016 Bill : “Enrolling Agency” has been defined under clause 2(l) as an agency appointed by the Authority or a Registrar for collecting demographic and biometric information of individuals under this Act.

9. 2010 Bill: “Member” was defined under clause 2(l) to include the Chairperson and a part-time Member of the Authority appointed under the provisions of the Bill.

   2016 Bill : “Member” has been defined under clause 2(o)  to include the Chairperson and Member of the Authority appointed under the provisions of the Bill.

10. 2010 Bill: “Records of Entitlement” was not defined under the previous Bill.

    2016 Bill :  “Records of Entitlement” has been defined under clause 2(r) as the records of benefits, subsidies or services provided to, or availed by, any individual under any programme.

11. 2010 Bill: “Requesting Entity” was not defined under the previous Bill.

    2016 Bill : “Requesting Entity” has been defined under clause 2(u) as an agency or person that submits information of an individual comprising of the Aadhaar number and

demographic or biometric information to the Central Identities Data Repository for the purpose of authentication.

12. 2010 Bill: “Resident” was defined under clause 2(q) as an individual usually residing in a village, rural area, town, ward, demarcated area (demarcated by the Registrar General of Citizen Registration) within a ward in a town or urban area in India.

    2016 Bill : “Resident” has been defined under clause 2(v) as an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.

13. 2010 Bill:  “Review Committee” was defined under clause 2(r) as the Identification Review Committee constituted under the provisions of the Bill.

    2016 Bill : “Review Committee” has not been defined under the Bill.

14. 2010 Bill: “Service” was not defined in the previous Bill.

    2016 Bill : “Service” has been defined under clause 2 (w) as any provision, facility, utility or any other assistance provided in any form to an individual or a group of individuals as may be notified by the Central Government.

15. 2010 Bill: “Subsidy” was not defined in the previous Bill.

    2016 Bill : “Subsidy” has been defined under clause 2(x) as any form of aid, support, grant, subvention, or appropriation (either in cash or kind), as may be notified by the Central Government, given to an individual or a group of individuals.

• Enrolment

1. Aadhaar Numbers

2016 Bill : Under clause 3(2) of the Bill, it is stated that at the time of enrolment, The enrolling agency shall inform the individual undergoing enrolment the following details:

(a) the manner in which the information so collected shall be used,

(b) the nature of recipients with whom the information is intended to be shared during authentication,and

(c) the existence of a right to access information, the procedure for making such requests for access, and details of the person/department in-charge to whom such requests can be

made.

2. Properties of Aadhaar Number 

2010 Bill : Clause 4 (3) stated that subject to authentication, the Aadhaar number shall be accepted as a proof of identity of the Aadhaar number holder.

2016 Bill : Clause 4 (3) states that subject to authentication, the Aadhaar number (either in physical or electronic form) shall be accepted as a proof of identity of the Aadhaar

number holder.

The Explanation under this clause states that for the purpose of this provision, “electronic form” shall have the same meaning as assigned to it in section 2 (1) (r) of the Information Technology Act, 2000.

• Authentication

1. Proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services, etc. 

2016 Bill : Under clause 7 of the Bill it is provided that for the purpose of establishing an individual's identity as a condition to receipt a a subsidy, benefit or service. the Central or State Government (as the case may be), require that such individual undergo authentication, or furnish proof of possession of Aadhaar number. In case the Aadhaar number has not been assigned to an individual, such individual must make an application for enrolment.

The Proviso states that the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service, in an Aadhaar number is not assigned to an individual.

2. Authentication of Aadhaar number 

2010 Bill: Clause 5 of the Bill stated that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees. Also, it was provided that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any demographic and biometric information).

2016 Bill : The Bill states that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees.

Clause 8 (2) provides that unless otherwise provided in the Act, the requesting entity shall— 

1. For the purpose of authentication, obtain the consent of an individual before collecting his identity information, and

2. ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication.

Clause 8 (3) provides that the following details shall be informed by the requesting entity to the individual submitting his identity information for the purpose of authentication: 

   a. the nature of information that may be shared upon authentication;

   b. the uses to which the information received during authentication may be put by the requesting entity; and

   c. alternatives to submission of identity information to the requesting entity.

Clause 8(4) states that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any core biometric information).

3. Prohibition on requiring certain information. 

2010 Bill: Clause 9 of the Bill prohibited the Authority to make an individual give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health.

2016 Bill : This provision has been removed from the 2016 Bill.

• Unique Identification Authority Of India

1. Establishment of Authority 

2010 Bill: Clause 11(1) of the Bill stated that the Central Government shall establish an Authority called as the National Identification Authority of India, to exercise the powers conferred on it and to perform the functions assigned to it under this Act. Also, clause 11(3) provided that the head office of the Authority shall be in the National Capital Region, referred to in section 2(f) of the National Capital Region Planning Board Act, 1985. 

2016 Bill : Clause 11(1) of the Bill states that the Central Government shall establish an Authority called as the Unique Identification Authority of India, responsible for the processes of enrolment, authentication and perform such other functions assigned to it under this Act. Also, clause 11(3) provides that the head office of the Authority shall be in New Delhi.

2. Composition of Authority

2010 Bill: Clause 12 provided that the Authority shall consist of a Chairperson and two part-time Members, to be appointed by the Central Government.  

2016 Bill : Clause 12 of the Bill provides that the Authority shall consist of a Chairperson (appointed on part-time or full- time basis) , two part-time Members, and the chief executive officer (who shall be Member-Secretary of the Authority), to be appointed by the Central Government.

3. Qualifications for appointment of Chairperson and Members of Authority

2010 Bill: Clause 13 provided that the Chairperson and Members of the Authority shall be persons of ability, integrity and outstanding calibre having experience and knowledge in the matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration. 

2016 Bill : Clause 13 provides that the Chairperson and Members of the Authority shall be persons of ability and integrity having experience and knowledge of at least ten years in matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration.

4. Term of office and other conditions of service of Chairperson.

2010 Bill: Proviso to Clause 14 (1) stated that  the Chairperson of the Unique Identification Authority of India, who would have been appointed before the commencement of this Act by notification A-43011/02/2009-Admn.I (Vol.II) dated the 2nd July, 2009, shall continue as a Chairperson of the Authority for the term for which he had been appointed. Clause 14(4) prohibited the Chairperson from holding any other office during the period of holding his office in the Authority. Proviso to clause 14 (5) stated the salary, allowances and the other terms and conditions of service of the Chairperson shall not be varied to his disadvantage after his appointment. 

2016 Bill : These provisions have not been included in the Bill.

5. Removal of Chairperson and Members

2010 Bill:  Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (d) or (e) of sub-section (1).

2016 Bill : Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (b), (d) or (e) of sub-section (1).

6. Restrictions on Chairperson or Members on employment after cessation of office

2010 Bill: Clause 16 (a) provided that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management or administration of, any person which has been associated with any work under the Act, for a period of three years from the date on which they cease to hold office, without previous approval of the Central Government. 

The proviso to this clause stated that this provision shall not apply to any employment under the Central Government, State Government, local authority, any statutory authority or any corporation established by or under any Central, State or provincial Act or a Government Company, as defined in section 617 of the Companies Act, 195.

2016 Bill: Clause 16 (a) provides that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management of any organisation, company or any other entity which has been associated with any work done or contracted out by the Authority (whether directly or indirectly), during his tenure as Chairperson or Member, as the case may be, for a period of three years from the date on which he ceases to hold office, without previous approval of the Central Government. 

The proviso to this clause stated that this provision shall not apply to any employment under the Central Government, State Government, local authority, any statutory authority or any corporation established by or under any Central, State or provincial Act or a Government Company, as defined in clause (45) of section 2 of the Companies Act, 2013.

7. Functions of Chairperson

2010 Bill: Clause 17 of the Bill provided that the Chairperson shall have powers of general superintendence, direction in the conduct of the affairs of the Authority, preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act. 

2016 Bill : Clause 17 of the Bill states that the Chairperson shall preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act.

8. Chief Executive Officer

2010 Bill: Clause 20 (1) of the Bill stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, who shall be the Member-Secretary of the Authority,shall be appointed by the Central Government.

2016 Bill : Clause 18 (1) stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, shall be appointed by the Central Government. In the list of its responsibilities, clause 18 (2) (e) additionally provides for performing such other functions, or exercising such other powers, as may be specified by regulations.

9. Meetings 

2010 Bill: Clause 18 (4) provided that all decisions of the Authority shall be authenticated by the signature of the Chairperson or any other Member who is authorised by the Authority for this purpose.

2016 Bill : Clause 19 (4) provided that all decisions of the Authority shall be signed by the Chairperson, any other Member or the Member-Secretary authorised by the Authority.

10. Vacancies, etc., not to invalidate proceedings of Authority

2010 Bill: Clause 19 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as a Member of the Authority

2016 Bill : Clause 20 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as Chairperson or Member of the Authority

11. Powers and functions of Authority

 Clause 23 (2) (k)

2010 Bill: Clause 23 (2) (k) provided that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct, in a manner as specified by regulations. 

2016 Bill : Clause 23 (2) (k) provides that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, subject to the provisions of this Act.

Clause 23 (2) (r) 

2010 Bill : Clause 23 (2) (r) stated that the powers and functions of the Authority may include specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.

2016 Bill : Clause 23 (2) (r) states that the powers and functions of the Authority may include evolving of, and specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.

• Grants, Accounts and Audit and Annual Report

2010 Bill: Clause 25 provided that  the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India and the entire amount so credited be transferred to the Authority.

2016 Bill : Clause 25  states that the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India.

• Identity Review Committee

2010 Bill: Clause 28 of the Bill provided for establishment of the Identity Review Committee, consisting of three members (including the chairperson) who are persons of eminence, ability, integrity and having knowledge and experience in the fields of technology, law, administration and governance, social service, journalism, management or social sciences. Clause 29 of the Bill enlisted several functions to be undertaken by the Review Committee so constituted.

2016 Bill: These provisions have been removed from the Bill.

• Protection of Information

1. Security and confidentiality of information

2010 Bill: Clause 30 (2) of the Bill stated that the Authority shall take measures (including security safeguards) to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against any loss, unauthorised access, use or unauthorised disclosure of the same.

2016 Bill : Clause 28 (3) states that  the Authority shall take measures to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.

A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:

(a) adopt and implement appropriate technical and organisational security measures,

(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information, and

(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.

2. Restriction on sharing information 

2010 Bill: The Bill did not provide for restrictions on sharing of information.

2016 Bill: This new provision under Clause 29 states that no core biometric information, collected or created under this Act, shall be—

(a) shared with anyone for any reason whatsoever; or

(b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

Also, the identity information, other than core biometric information, collected or created

under this Act may be shared only in accordance with the provisions of this Act as specified under Regulations.

Clause 29 (3) prohibits usage of identity information available with a requesting entity for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication, or disclosed further, except with the prior consent of the individual to whom such information relates.

Clause 29 (4) prohibits publication, displaying or publicly posting of the Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder, except for the purposes as may prescribed in Law.

3. Biometric information deemed to be sensitive personal information.

 2010 Bill: The Bill did not contain provisions stating that the biometric information shall be deemed to be sensitive personal information for the purpose of this Act. 

2016 Bill: Clause 30 states that the biometric information collected and stored in electronic form shall be deemed to be “electronic record” and “sensitive personal data or information”, and the provisions contained in the Information Technology Act, 2000 and the rules made thereunder shall apply to such information,to the extent not in derogation of the provisions of this Act.

 The Explanation defines

(a) “electronic form” - as defined under section 2 (1) (r)  of the Information Technology Act, 2000,

(b) “electronic record” as defined under section 2 (1) (t)  of the Information Technology Act, 2000

(c)“sensitive personal data or information” - as defined under clause (iii) of the

Explanation to section 43A of the Information Technology Act, 2000.

4. Security and confidentiality of information

2010 Bill: Clause 30 (2) of the Bill stated that the Authority shall take measures (including security safeguards) to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against any loss, unauthorised access, use or unauthorised disclosure of the same.

2016 Bill : Clause 28 (3) states that  the Authority shall take measures to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.

A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:

(a) adopt and implement appropriate technical and organisational security measures,

(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information, and

(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.

5. Alteration of demographic information or biometric information. 

2016 Bill : Clause 31 (4) prohibits alteration of identity information in the Central Identities Data Repository, except in the manner provided in this Act or regulations made thereof.

6. Access to own information and records of requests for authentication.

2016 Bill : Clause 32 (3) provides that the Authority shall not collect, keep or maintain any information about the purpose of authentication, either by itself or through any entity under its control.

7. Disclosure of information in certain cases 

2010 Bill: The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order of a competent court; or disclosure (including identity information) made in the interests of national security in pursuance of directions issued by an officer(s) not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government.

2016 Bill : The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order not inferior to that of a District Judge (provided that the court order shall be made only after giving an opportunity of hearing to the Authority); or disclosure (including identity information or authentication records) made in the interests of national security in pursuance of directions issued by an officer not below the rank of Joint Secretary to the Government of India, authorised in this behalf by an order of the Central Government.

The proviso to Clause 33 (2) states that every direction so issued shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect.

The second proviso states that any such direction so issued shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

• Offences and Penalties

1. Penalty for impersonation at time of enrolment. 

2010 Bill: The penalty for impersonation was prescribed under Clause 34  as imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees.

2016 Bill : The penalty for impersonation was prescribed under Clause 34  as imprisonment for a term which may extend to three years, or with fine which may extend to ten thousand rupees, or both.

2. Penalty for unauthorised access to the Central Identities Data Repository

2010 Bill: Clause 38 (g) stated that any person not authorised by the Authority,  provides any assistance to any person to do any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than one crore rupees.

2016 Bill : Clause 38 (g) stated that any person not authorised by the Authority,  reveals any information in contravention of sub-section section 28 (5), or shares, uses or displays information in contravention of section 29 or assists any person in any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than ten lakh rupees. Additionally, the Explanation states that the expression “computer source code” shall have the meaning assigned to it in the Explanation to section 65 of the Information Technology Act, 2000.

3. Penalty for unauthorised use by requesting entity and noncompliance with intimation requirements

2010 Bill: Clause 40 of the Bill prescribed penalty for manipulating biometric information and stated that a person who gives/attempts to give any biometric information which does not pertain to him for the purpose of getting an Aadhaar number, authentication or updating his information, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or with both.

2016 Bill:  Clause 40 prescribes penalty for a person, being a requesting entity, uses the identity information of an individual in contravention of clause 8(3) , to be punishable with imprisonment which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both. Clause 41 of the Bill states that Whoever, being an enrolling agency or a requesting entity, fails to comply with the requirements of clause 3(2)-list of details to be informed to the individual undergoing enrolment, and clause 8(3)-informing individual undergoing enrolment details for the purpose of authentication, shall be punishable with imprisonment which may extend to one year, or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

4. General Penalty

2010 Bill: For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to three years, or fine as prescribed.

2016 Bill  : For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to one year, or fine as prescribed.

• Miscellaneous

1. Power of Central Government to supersede Authority.

2010 Bill: Clause 47(1)(c) stated that if at any time the Central Government is of the opinion that such circumstances exist which render it necessary in the public interest to supersede the Authority, may do so in the manner prescribed under this provision.

2016 Bill : Clause 48(1)(c) states that if at any time the Central Government is of the opinion that a public emergency exists, then the Central Government may supersede the Authority, in the manner prescribed under this provision.

2. Power to remove difficulties.

2010 Bill: The proviso to Clause 56(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of two years from the commencement of this Act.

2016 Bill : The proviso to Clause 58(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of three years from the commencement of this Act.

3. Savings

2010 Bill: Clause 57 provided that any action taken by the Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/ 2009-Admin.I, dated the 28th January, 2009, shall be deemed to have been done or taken under the corresponding provisions of this Act.

2016 Bill : Clause 59 states that any action take by Central Government under  the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/2009-Admin. I, dated the 28th January, 2009, or by the Department of Electronics and Information Technology under the Cabinet Secretariat Notification bearing notification number S.O. 2492(E), dated the 12th September, 2015, as the case may be, shall be deemed to have been validly done or taken under this Act.

• Statement of Objects and Reasons

2010 Bill: The Bill stated that the Central Government decided to issues  unique identification numbers to all residents in India, which involves collection of demographic, as well as biometric information.  The Unique Identification Authority of India was constituted as an executive body by the Government, vide its notification dated the 28th January, 2009. The Bill addressed and enlisted several issues with the issuance of  unique identification numbers which should be addressed by law and attract penalties, such as security and confidentiality of information, imposition of obligation of disclosure of information so collected in certain cases, impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, manipulation of biometric information, investigation of certain acts constituting offence, and unauthorised disclosure of the information collected for the purposes of issuance of the numbers. To make the said Authority a statutory one, the National Identification Authority of India Bill, 2010 was proposed to establish the National Identification Authority of India to issue identification numbers and authenticate the Aadhaar number to facilitate access to benefits and services to such individuals to which they are entitled and for matters connected therewith or incidental thereto.Apart from the above mentioned purposes, The National Identification Authority of India Bill, 2010 also seeks to provide for the Authority to exercise powers and discharge functions so prescribed , ensure that the Authority does not require any individual to give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health, may engage entities to establish and maintain the Central Identities Data Repository and to perform any other functions as may be specified by regulations, constitute the  Identity Review Committee and take measures to ensure that the information in the possession or control of the Authority is secured and protected against any loss, unauthorised access or use or unauthorised disclosure thereof.

Source: http://cis-india.github.io/aadhaar-bill-2016/

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016

Chapter I. PRELIMINARY

Section 1

1. This Act is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

2. It will be applicable in whole of India (except the state of Jammu and Kashmir).

3. It will become applicable on a date to be notified by the Central Government.

Section 2

1. “Aadhaar number” is the identification number issued to an individual under the Act;

2. “Aadhaar number holder” is the person who has been given an Aadhaar number;

3. “authentication” is the process of verifying the Aadhaar number, demographic information and biometric information of any person by the Central Identities Data Repository (CIDR);

4. “authentication record” is the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR;

5. “Authority”  or “UIDAI” refers to the Unique Identification Authority of India established under this Act;

6. “benefit” means any relief or payment which may be notified by the Central Government;

7. “biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations;

8. “Central Identities Data Repository” or “CIDR” means a centralised database containing all Aadhaar numbers, demographic information and biometric information and other related information;

9. “Chairperson” means the Chairperson of the UIDAI;

10. “core biometric information” means fingerprint, Iris scan, or any biological attributes specified by regulations;

11. “demographic information” includes information relating to the name, date of birth, address and other relevant information as specified by regulations. This information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history;

12. “enrolling agency” means an agency appointed by the UIDAI or a Registrar for collecting demographic and biometric information of individuals for issuing Aadhaar numbers;

13. “enrolment” means the process of collecting demographic and biometric information from individuals for the purpose of issuing Aadhaar numbers;

14. “identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;

15. “Member” includes the Chairperson and Member of the Authority appointed under section 12;

16. “notification” means a notification published in the Official Gazette and the expression “notified” with its cognate meanings and grammatical variations will be construed accordingly;

17. “prescribed” means prescribed by rules made by the Central Government under this Act;

18. “records of entitlement” means the records of benefits, subsidies or services provided to any individual under any government programme;

19. “Registrar” means any person authorized by the UIDAI to enroll individuals under the Act;

20. “regulations” means the regulations made by the UIDAI under this Act;

21. “requesting entity” means an agency that submits the Aadhaar number and other information of an individual to the CIDR for authentication;

22. “resident” means a person who has resided in India for atleast 182 days in the last twelve months before the date of application for enrolment;

23. “service” means any facility or assistance provided by the Central Government in any form;

24. “subsidy” means any form of aid, support, grant, etc. in cash or kind as notified by the Central Government.

Chapter II. ENROLMENT

Section 3

1. Every resident is entitled to get an Aadhaar number.

2. At the time of enrollment, the enrolling agency will inform the individual of the following details—

1. how their information will be used;

2. what type of entities the information will be shared with; and

3. that they have a right to see their information and also tell them how they can see their information.

3. After collecting and verifying the information given by the individuals, the UIDAI will issue an Aadhaar number to each individual.

Section 4

1. Once an Aadhaar number has been issued to a person, it will not be re-assigned to any other person.

2. An Aadhaar number will be a random number and will not contain any attributes or identity of the Aadhaar number holder.

3. if adopted by a service provider, an Aadhaar number may be accepted as proof of identity of the person.

Section 5

The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals.

Section 6

The UIDAI may require Aadhaar number holders to update their Aadhaar information, so that it remains accurate.

Chapter III. AUTHENTICATION

Section 7

As a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment. If an Aadhaar number is not assigned, the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service.

Section 8

1. The UIDAI will authenticate the Aadhaar information of people as per the conditions prescribed by the government and may also charge a fees for doing so.

2. Any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR;

3. The entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity.

4. The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.

Section 9

The Aadhaar number or its authentication will not be a proof of citizenship or domicile.

Section 10

The UIDAI may engage any number of entities to establish and maintain the CIDR and to perform any other functions specified by the regulations.

Chapter IV. UNIQUE IDENTIFICATION AUTHORITY OF INDIA

Section 11

1. The UIDAI will be established by the Central Government to be responsible for the processes of enrolment and authentication of Aadhaar numbers.

2. The UIDAI will be a body corporate with the power to buy and sell property, to enter into contracts and to sue or be sued.

3. The head office of the UIDAI will be in New Delhi.

4. The UIDAI may establish its offices at other places in India.
   
   

Section 12

The UIDAI will have a Chairperson, two part-time Members and a chief executive officer, who to be appointed by the Central Government.

Section 13

The Chairperson and Members will be competent people with at least 10 years experience and knowledge in technology, governance, law, development, economics, finance, management, public affairs or administration.

Section 14

1. The Chairperson and the Members will be appointed for 3 years and can be re-appointed after their term. But no Member or Chairperson will be more than 65 years of age.

2. The Chairperson and Members will take an oath of office and of secrecy.

3. The Chairperson or Member may— (a) resign from office, by giving an advance written notice of at least 30 days; or (b) be removed from his office because she/he gets disqualified on any of the grounds mentioned in section 15.

4. The salaries and allowances of the Members and Chairperson will be prescribed under the government.
   
   

Section 15

1. The Central Government may remove a Chairperson or Member, who—
   (a) has gone bankrupt;
   (b) is physically or mentally unable to do his/her job;
   (c) has been convicted of an offence involving moral turpitude;
   (d) has a financial conflict of interest in performing his/her functions; or
   (e) has abused his/her position so that the government needs to remove him/her in public interest.

2. The Chairperson or a Member will be given a chance to present his/her side of the story before being removed, unless he/she is being removed on the grounds of bankruptcy or criminal conviction.
   
   

Section 16

An Ex-Chairperson or Ex-Member will have to take the approval of the Central Government,—

1. to accept any job in any entity (other than a government organization) which was associated with any work done for the UIDAI while that person was a Chairperson or Member, for a period of three years after ceasing to hold office;

2. to act or advise any entity on any particular transaction for which that person had provided advice to the UIDAI while he/she was the Chairperson or a Member;

3. to give advice to any person using information which was obtained as the Chairperson or a Member which is not available to the public in general; or

4. to accept any offer of employment or appointment  as a director of any company with which he/she had direct and significant official dealings during his/her term of office, for a period of three years.
   
   

Section 17

The Chairperson will preside over the meetings of the UIDAI and have the powers and perform the functions of the UIDAI.

Section 18

1. The chief executive officer (CEO) of the UIDAI will not be below the rank of Additional Secretary to the Government of India.

2. The chief executive officer will be responsible for— (a) the day-to-day administration of the UIDAI; (b) implementing the programmes and decisions of the UIDAI; (c) making proposals for the UIDAI; (d) preparation of the accounts and budget of the UIDAI; and (e) performing any other functions prescribed in the regulations.

3. The CEO will annually submit the following things to the UIDAI for its approval — (a) a general report covering all the activities of the Authority in the previous year; (b) programmes of work; (c) the annual accounts for the previous year; and (d) the budget for the coming year.

4. The CEO will have administrative control over the officers and other employees of the Authority.

Section 19

1. The time and place of the meetings of the UIDAI and the rules and procedures of those meetings will be prescribed by regulations.

2. The meetings will be presided by the Chairperson, and if they are absent, then the senior most Member of the UIDAI.

3. All decisions at the meetings of the UIDAI will be taken by a majority vote. In case of a tie, the person presiding the meeting will have the casting vote.

4. All decisions of the UIDAI will be signed by the Chairperson or any other Member or the Member-Secretary authorised by the UIDAI in this behalf.

5. If any Member, who is a director of a company and because of this has any financial interest in matters coming up for consideration at a meeting, that member should disclose the financial interest and not take any further part in the discussions and decision on that matter.
   
   

Section 20

No actions or proceeding of the UIDAI will become invalid merely because of—

1. any vacancy in, or any defect in the constitution of, the UIDAI;

2. any defect in the appointment of a person as Chairperson or Member of the Authority; or

3. any irregularity in the procedure of the Authority not affecting the merits of the case.

Section 21

1. The UIDAI, with the approval of the Government, can decide on the number and types of officers and employees that it would require.

2. The salaries and allowances of the employees, officer and chief executive officer will be prescribed under the government.
   
   

Section 22.

Once the UIDAI is establishment—

1. all the assets and liabilities of the existing Unique Identification Authority of India, established by the Government of India through notification dated the 28th January, 2009, will stand transferred to the new UIDAI.

2. all data and information collected during enrolment, all details of authentication performed, by the existing Unique Identification Authority of India will be deemed to have been done by the UIDAI. All debts, liabilities incurred and all contracts entered into by the Unique Identification Authority of India will be deemed to have been entered into by the UIDAI;

3. all money due to the existing Unique Identification Authority of India will be deemed to be due to the UIDAI; and

4. all suits and other legal proceedings instituted by or against such Unique Identification Authority of India may be continued by or against the UIDAI.
   
   

Section 23

The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform their authentication. The powers and functions of the UIDAI include—

1. specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information;

2. collecting demographic information and biometric information from people seeking Aadhaar numbers;

3. appointing of one or more entities to operate the CIDR;

4. generating and assigning Aadhaar numbers to individuals;

5. performing authentication of Aadhaar numbers;

6. maintaining and updating the information of individuals in the CIDR;

7. omitting and deactivating an Aadhaar number;

8. specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used;

9. specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments;

10. establishing, operating and maintaining of the CIDR;

11. sharing the information of Aadhaar number holders;

12. calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Act;

13. specifying processes relating to data management, security protocols and other technology safeguards under this Act;

14. specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder;

15. levying and collecting the fees or authorising the Registrars, enrolling agencies or other service providers to collect fees for the services provided by them under this Act;

16. appointing committees necessary to assist the Authority in discharge of its functions;

17. promoting research and development for advancement in biometrics and related areas;

18. making and specifying policies and practices for Registrars, enrolling agencies and other service providers;

19. setting up facilitation centres and grievance redressal mechanisms;

20. other powers and functions as prescribed.

The Authority may,— (a) enter into agreements with various state governments and Union Territories for collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) appoint Registrars, engage and authorize agencies to collect, store, secure, process information or do authentication or perform other functions under this Act. The Authority may engage consultants, advisors and other persons required for efficient discharge of its functions.

Chapter V. GRANTS, ACCOUNTS AND AUDIT AND ANNUAL REPORT

Section 24

The Central Government may grant money to the UIDAI as it may decide, upon due appropriation by Parliament.

Section 25

Fees/revenue collected by the UIDAI will be credited to the Consolidated Fund of India

Section 26

1. The UIDAI will prepare an annual statement of accounts in the format prescribed by Central Government

2. The Comptroller and Auditor-General will audit the account of the UIDAI annually at intervals decided by him, at the UIDAI’s expense.

3. The Comptroller and Auditor-General or his appointees will have the same powers of audit they usually have to audit Government accounts.

4. The UIDAI will forward the statement of accounts certified by the Comptroller and Auditor-General and the audit report, to the Central Government who will lay it before both houses of Parliament.

Section 27

1. The UIDAI will provide returns, statements and particulars as sought, to the Central Government, as and when required.

2. The UIDAI will prepare an annual report containing the description of work for previous years, annual accounts of previous year, and the programmes of work for coming year.

3. The copy of the annual report will be laid before both houses of Parliament by the Central Government.

Chapter VI. PROTECTION OF INFORMATION

Section 28

1. The UIDAI will ensure the security and confidentiality of identity information and authentication records.

2. The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.

3. The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.

4. Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.

5. An Aadhaar number holders may request UIDAI to provide access his information (excluding the core biometric information) as per the regulations specified.

Section 29

1. The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication.

2. Identity information, other than core biometric information, may be shared only as per this Act and regulations specified under it.

3. Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent.

4. Aadhaar numbers or core biometric information will not be made public except as specified by regulations.

Section 30

All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act.

Section 31

1. If the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR, as necessary.

2. The identity information in the CIDR will not be altered, except as provided in this Act.

Section 32

1. The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations.

2. Every Aadhaar number holder may obtain his authentication record as specified by regulations.

3. The UIDAI will not collect, keep or maintain any information about the purpose of authentication.

Section 33

1. The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing.

2. The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose.

3. An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above.

4. Any directions under 33 B above are valid for 3 months, after which they may be extended following a review by the Oversight Committee.

Chapter VII. OFFENCES AND PENALTIES

Section 34

Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.

Section 35

Changing or attempting to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder, is punishable with imprisonment up to three years and fine up to ten thousand rupees.

Section 36

Collection of identity information by one not authorised by this Act, by way of pretending otherwise, is punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 37

Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 38

The following intentional acts, when not authorised by the UIDAI, will be punishable with imprisonment up to three years and a fine not less than ten lakh rupees:

1. accessing or securing access to the CIDR;

2. downloading, copying or extracting any data from the CIDR;

3. introducing or causing any virus or other contaminant into the CIDR;

4. damaging or causing damage to the data in the CIDR;

5. disrupting or causing disruption to access to CIDR;

6. causing denial of access to an authorised to the CIDR;

7. revealing information in breach of (D) in Section 28, or Section 29;

8. destruction, deletion or alteration of any files in the CIDR;

9. stealing, destruction, concealment or alteration of any source code used by the UIDAI.

Section 39

Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.

Section 40

Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 41

Violation of Section 8 (3) or Section 3 (2) by a requesting entity or enrolling agency will be punishable with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 42

Any offence against this Act or regulations made under it, for which no specific penalty is provided, will be punishable with be punishable with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 43

1. In case of an offence under Act committed by a Company, all person in charge of and responsible for the conduct of the company will also be held to be guilty and liable for punishment unless they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.

2. In case an offence is committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company, they will also be held guilty of the offence.

Section 44

This Act will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.

Section 45

Offences under this Act will not be investigated by police officers below the rank of Inspector of Police.

Section 46

Penalties imposed under this Act will not prevent imposition of any other penalties or punishment under any other law in force.

Section 47

1. Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.

2. No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate will try any offence under this Act.

Chapter VIII. MISCELLANEOUS

Section 48

1. Central Government has the power to supersede the UIDAI, through a notification, not for longer than six months, in the following circumstances: i) In case of circumstances beyond the control of the UIDAI, ii) The UIDAI has defaulted in complying with directions of the Central Government, affecting financial position of the UIDAI, iii) Public emergency

2. Upon publication of notification, Chairperson and Members of the UIDAI must vacate the office

3. Powers, functions and duties will be performed by person(s) authorised by the President.

4. Properties controlled and owned by UIDAI will vest in the Central Government.

5. Central Government will reconstitute the UIDAI upon expiration of supersession, with fresh appointment of Chairperson and Members.

Section 49

Chairperson, members, employees etc. are deemed to be public servants within the meaning of section 21 of the Indian Penal Code.

Section 50

1. Central Government has the power to issue directions to the UIDAI on questions of policy (to be decided by the Government), except technical and administrative matters and the UIDAI will be bound by it.

2. The UIDAI will be given an opportunity to express views before direction is given.

Section 51

The UIDAI may delegate its powers and functions to a Member or officer of the UIDAI.

Section 52

No suit, prosecution or other legal proceedings will lie against the Central Government, UIDAI, Chairperson, any Member, officer, or other employees of the UIDAI for an act done in good faith.

Section 53

The Central Government has the power to makes Rules for matters prescribed under this provision.

Section 54

UIDAI has the power to make regulations for matters prescribed under this provision.

Section 55

Rules and regulations under this Act will be laid before each House of Parliament for a total period of thirty days, both Houses must agree in making modification, and then the Rules will come into effect.

Section 56

Provisions of this Act are in addition to, and not in derogation of any other law currently in effect.

Section 57

This Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

Section 58

The Central Government may pass an order to remove a difficulty in giving effect to the provisions of this Act, not beyond three years from the commencement of this Act.

Section 59

Action take by Central Government under the Resolution of the Government of India for setting up the UIDAI or by the Department of Electronics and Information Technology under the notification including the UIDAI under the Ministry of Communications and Information Technology will be deemed to have been validly done or taken.

STATEMENT OF OBJECTS AND REASONS

1. Correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government

2. This has proved to be a major hindrance for successful implementation of these programmes.

3. In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries.

4. The UIDAI was established to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number.

5. Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes.

6. With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created.

7. It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory.

8. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the UIDAI, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the UIDAI, maintenance and updating the information of individuals in the CIDR, state measures pertaining to security, privacy and confidentiality of information in possession or control of the UIDAI including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.

Read and sign the open letter.

Text of the Open Letter

As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.

Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.

In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.

Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.

We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.

Signatories:

• Amber Sinha, the Centre for Internet and Society
• Japreet Grewal, the Centre for Internet and Society
• Joshita Pai, Centre for Communication Governance, National Law University
• Raman Jit Singh Chima, Access Now
• Sarvjeet Singh, Centre for Communication Governance, National Law University
• Sumandro Chattapadhyay, the Centre for Internet and Society
• Sunil Abraham, the Centre for Internet and Society
• Vanya Rakesh, the Centre for Internet and Society

The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy, benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.

Key Issues

1. Identification without Consent

Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.

2. Fallible Technology

The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.

We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.

At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positive— the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. [1]

Endnote

[1] See: http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process

Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.

Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.

These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.

Download the submission letter: PDF.

Text of the Submission

On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:

• Identification without Consent: Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.
  
  
• Fallible Technology: The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. [1]

Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:

1. Implement the Recommendations of the Shah and Sinha Committees: The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah [2] and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha [3] have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.
   
   
2. Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory: Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.
   
   
3. Vulnerabilities in the Enrolment Process: The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.
   
   
4. Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens: The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.
   
   
5. Prohibit Central Storage of Biometrics Data: The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.
   
   
6. Chain of Trust Model and Audit Trail: As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.
   
   
7. Rights of Residents: There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.
   
   
8. Establish Appropriate Oversight Mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.
   
   
9. Establish Grievance Redressal and Review Mechanisms: Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.

Endnotes

[1] See: http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.

[2] See: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

[3] See: http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf.

Last month, it was reported that National Security Council Secretariat (NSCS) had proposed the setting up of a National Media Analytics Centre (NMAC). This centre’s mandate would be to monitor blogs, media channels, news outlets and social media platforms. Sources were quoted as stating that the centre would rely upon a tracking software built by Ponnurangam Kumaraguru, an Assistant Professor at the Indraprastha Institute of Information Technology in Delhi. The NMAC seems to mirror other similar efforts in countries such as US, Canada, Australia and UK, to monitor online content for the reasons as varied as prevention of terrorist activities, disaster relief and criminal investigation.

The NSCS, the parent body that this centre will fall under, is a part of the National Security Council, India’s highest agency looking to integrate policy-making and intelligence analysis, and advising the Prime Minister’s Office on strategic issues as well as domestic and international threats. The NSCS represents the Joint Intelligence Committee and its duties include the assessment of intelligence from the Intelligence Bureau, Research and Analysis Wing (R&AW) and Directorates of Military, Air and Naval Intelligence, and the coordination of the functioning of intelligence agencies.

From limited reports available, it appears that the tracking software used by NMAC will generate tags to classify post and comments on social media into negative, positive and neutral categories, paying special attention to “belligerent” comments. The reports say that the software will also try to determine if the comments are factually correct or not. The idea of a government agency systematically tracking social media, blogs and news outlets and categorising content as desirable and undesirable is bound to create a chilling effect on free speech online. The most disturbing part of the report suggested that the past pattern of writers’ posts would be analysed to see how often her posts fell under the negative category, and whether she was attempting to create trouble or disturbance, and appropriate feedback would be sent to security agencies based on it. Viewed alongside the recent events where actors critical of the government and holding divergent views have expressed concerns about attempts to suppress dissenting opinions, this initiative sounds even more dangerous, putting at risk individuals categorised as “negative” or “belligerent”, for exercising their constitutionally protected right to free speech.

Getty Images

It has been argued that the Internet is a public space, and should be treated as subject to monitoring by the government as any other space. Further, this kind of analysis does not concern itself with private communication between two or more parties but only with publicly available information. Why must we raise eyebrows if the government is accessing and analysing it for the purposes of legitimate state interests? There are two problems with this argument. First, any surveillance of communication must always be limited in scope, specific to individuals, necessary and proportionate, and subject to oversight. There are no laws passed by the Parliament in India which allow for mass surveillance measures. Such activities are being conducted through bodies like NSC which came into existence through an Executive Order and have no clear oversight mechanisms built into its functioning. A quick look at the history of intelligence and surveillance agencies in India will show that none of them have been created through a legislation. A host of surveillance agencies have come up in the last few years including the Central Monitoring System, which was set up to monitor telecommunications, and the absence of legislative pedigree translates into lack of appropriate controls and safeguards, and zero public accountability.

The second and the larger issue is that the scale and level of granularity of personal information available now is unprecedented. Earlier, our communications with friends and acquaintances, our movements, our association, political or otherwise, were not observable in the manner it is today. It would be remiss to underestimate the importance of personal information merely because it exists in the public domain. The ability to act without being subject to monitoring and surveillance is key to the right to free speech and expression. While we accept the importance of free speech and the value of an open internet and newer technologies to enable it, we do not give sufficient importance to how these technologies are affecting the right to privacy.

Getty Images

In the last few years, the social media scene in India has been characterised by extreme polemic with epithets such as ‘bhakt’, ‘sanghi’, ‘sickular’ and ‘presstitutes’ thrown around liberally, turning political discussions into a mess of ugliness. It remains to be seen whether the NMAC intends to deal with the professional trolls who rely on a barrage of abuse to disrupt public conversations online. However, the appropriate response would not be greater surveillance, let alone a body like NMAC, with a sweeping mandate and little accountability.

Link to the original here.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

• Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
• Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
• Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
• Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
• Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
• Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
• Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
• Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
• Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

1. introduction of any virus or other computer contaminant in the CIDR [36];
2. causing damage to the data in the CIDR [37];
3. disruption of access to the CIDR [38];
4. denial of access to any person who is authorised to access the CIDR [39];
5. destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
6. stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

License: It is shared under Creative Commons Attribution 4.0 International License.

The Centre for Internet and Society

Statement on Sexual Harassment at ICANN55

The Centre for Internet and Society (“CIS”) strongly condemns the acts of sexual harassment that took place against one of our representatives, Ms. Padmini Baruah, during ICANN 55 in Marrakech. It is completely unacceptable that an event the scale of an ICANN meeting does not have in place a formal redressal system, a neutral point of contact or even a policy for complainants who have been put through the ordeal of sexual harassment. ICANN cannot claim to be inclusive or diverse if it does not formally recognise a specific procedure or recourse under such instances.

Ms. Baruah is by no means the first young woman to be subject to such treatment at an ICANN event, but she is the first to raise a formal complaint. Following the incident, she was given no immediate remedy or formal recourse, and that has left her with no option but to make the incident publicly known in the interim. The ombudsman’s office has been in touch with her, but this administrative process is simply inadequate for rights-violations.

Ms. Baruah has received support from various community, staff, and board members. While we are thankful for their support, we believe that this situation can be better dealt with through some positive measures. We ask that ICANN carry out the following steps in order to make its meetings a truly safe and inclusive space:

1. Institute a formal redressal system and policy with regard to sexual harassment within ICANN. The policy must be displayed on the ICANN website, at the venue of meetings and made available in delegate kits.

2. Institute an Anti Sexual Harassment Committee that is neutral and approachable. Merely having an ombudsman who is a white male, however well intentioned, is inadequate and completely unhelpful to the complainant. The present situation is one where the ombudsman has no effective power and only advises the board.

3. Conduct periodic gender and anti sexual harassment training of the ICANN board to help them better understand, recognise and address instances of sexual harassment.

4. Conduct periodic gender and anti sexual harassment training for the ombudsman even if he/she will not be the exclusive point of contact for complainants as the ombudsman forms an important part of community and participant engagement

5. Conduct periodic gender sensitisation for the ICANN community.

The article was published in the Wire on March 21, 2016

As Indian cities reposition themselves to play a significant role in development due to urban transformation, the government has envisioned building 100 smart cities across the country. Due to the lack of a precise definition as to what exactly constitutes a smart city, the mutual consensus that has evolved is that modern technology will be harnessed, which will lead to smart outcomes.

Here, Big Data and analytics will play a predominant role by the way of cloud, mobile technology and other social technologies that gather data for the purpose of ascertaining and accordingly addressing concerns of people.

Role of Big Data

Leveraging city data and using geographical information systems (GIS) to collect valuable information about stakeholders are some techniques that are commonly used in smart cities to execute emergency systems, creating dynamic parking areas, naming streets, and develop monitoring. Other sources which would harness such data would be from fire alarms, in disaster management situations and energy saving mechanisms, which would sense, communicate, analyze and combine information across platforms to generate data to facilitate decision making and manage services.

According to the Department of Electronics and Information Technology, the government’s plan to develop smart cities in the country could lead to a massive expansion of an IoT (Internet of Things) ecosystem within the country. The revised draft IoT policy aims at developing IoT products in this domain by using Big Data for government decision-making processes. For example, in India a key opportunity that has been identified is with regard to traffic management and congestion. Here, collecting data during peak hours, processing information in real time and using GPS history from mobile phones can give insight into the routes taken and modes of transportation preferred by commuters to deal with traffic woes. The Bengaluru Transport Information System (BTIS) was an early adopter of big data technology which resorted to aggregating data streams from multiple sources to enable planning of travel routes by avoiding traffic congestions, car-pooling, etc.

Challenges

The idea of a data-driven urban city has drawn criticism as the initiative tends to homogenize Indian culture and change the fabric of cities by treating them alike in terms of their political economy, culture, and governance.

Despite basing the idea of a smart city on the assumption that technology-based solutions and techniques would be a viable solution for city problems in India, it is pertinent to note that the collection of personal real-time data may blur the line between personal data with the large data collected from multiple sources, leaving questions around privacy considerations, use and reuse of such data, especially by companies and businesses involved in providing services in legally and morally grey areas.

Privacy concerns cloud the dependence on big data for functioning of smart cities as it may lead to erosion of privacy in different forms, for example if it is used to carry out surveillance, identification and disclosures without consent, discriminatory inferences, etc.

Apart from right to privacy, a number of rights of an individual like the right to access and security rights would be at risk as it may enable practices of algorithmic social sorting (whether people get a loan, a tenancy, a job, etc.), and anticipatory governance using predictive profiling (wherein data precedes how a person is policed and governed). Dataveillance raises concerns around access and use of data due to increase in digital footprints (data they themselves leave behind) and data shadows (information about them generated by others). Also, the challenges and the realities of getting access to correct and standardized data, and proper communication seem to be a hurdle which still needs to be overcome.

The huge, yet untapped, amount of data available in India requires proper categorization and this makes a robust and reliable data management system prerequisite for realization of the country’s smart city vision. Cooperation between agencies in Indian cities and a holistic technology-based approach like ICT and GT (geospatial technologies) to resolve issues pertaining to wide use of technology is the need of the hour.  The skills to manage, analyze and develop insights for effective policy decisions are still being developed, particularly in the public sector. Recognizing this, Nasscom in India has announced setting up a Centre of Excellence (CoE) to create quality workforce.

Though it is apparent that data will play a considerable role in smart city mission, the peril is lack of planning in terms of policies to govern the big data mechanics and use of data. This calls for development of suitable standards and policies to guide technology providers & administrators to manage and interpret data in a secured environment.

Legal hurdles

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 deals with accountability regarding data security and protection as it applies to ‘body corporates’ and digital data. It defines a ‘body corporate’ as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities” under the IT Act. Therefore, it can be ascertained that government bodies or individuals collecting and using Big Data for the smart cities in India would be excluded from the scope of these Rules. This highlights the lack of a suitable regulatory framework to take into account potential privacy challenges, which currently seem to be underestimated by our planners and administrators.

Regarding access to open data, though the National Data Sharing and Accessibility Policy 2012 recognizes sensitive data, the term has not been clearly defined under it. However, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 clearly define sensitive personal data or information. Therefore, the open data framework must refer to or adopt a clear definition drawing from section 43A Rules to bring clarity in this regard.

Way forward

As India moves toward a digital transformation, highlighted by flagship programmes like Smart Cities Mission, Digital India and the UID project, data regulation and recognition of use of data will change the nature of the relationship between the state and the individual.  However, this seems to have been overlooked. Policies that regulate the digital environment of the country will intertwine with urban policies due to the smart cities mission. Use of ICTs in the form of IoT and Big Data entails access to open data, bringing another policy area in its ambit which needs consideration. Identification/development of open standards for IoT particularly for interoperability between cross sector data must be looked at.

To address privacy concerns due to the use of big data techniques, nuanced data legislation is required. For a conducive big data and technologically equipped environment, the governments must increase efforts to create awareness about the risks involved and provide assurance about the responsible use of data.

Additionally, a lack of skilled and educated manpower to deal with such data effectively must also be duly considered.

The concept note produced by the government reflects how it visualizes smart cities to be a product of marrying the physical form of cities and its infrastructure to a wider discourse on the use of technology and big data in city governance. This makes the role of big data quite indispensable, making it synonymous with the very notion of a smart city. However, the important issue is to understand that data analytics is only a part of the idea. What is additionally required is effective governance mechanism and political will. Collaboration and co-operation is the glue that will make this idea work. It is important to merge urban development policies with principles of democracy. The data involved in planning for urbanized and networked cities are currently flawed and politically-inflected. Therefore, collective efforts must go into minimizing pernicious effects of the same to ensure the basic human rights are not violated in the race to make cities “smart”.

Vanya Rakesh is Programme Officer, The Centre for Internet & Society (CIS), Bangalore. Elonnai Hickok, Policy Director of CIS, also provided inputs for this story.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

The article was published by Quint on March 31, 2016.

The passage of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (will hereby be referred to as “the Act”) has led to flak for the government from privacy advocates, academia and civil society, to name a few.

To my mind, the opposition deserves its fair share of criticism (lacking so far), for its absolute failure to engage with and act as a check on the government in the passage of the Act, and the events leading up to it.

The government’s introduction of the Act as a ‘money bill’ under Article 110 of the Constitution of India (“this/the Article”) is a mockery of the constitutional process. It renders redundant, the role of the Rajya Sabha as a check on the functioning of the Lower House.

Article 110 limits a ‘money bill’ only to six specific instances: covering tax, the government’s financial obligations and, receipts and payments to and from the Consolidated Fund of India, and, connected matters.

The Act lies well outside the confines of the Article; the government’s action may attract the attention of the courts.

Political One-Upmanship

Finance Minister Arun Jaitley (left) listens to Reserve Bank of India (RBI) Governor Raghuram Rajan. (Photo: Reuters)

In the past, the Supreme Court (“the Court”) has stepped into the domain of the Parliament or the Executive when there was a complete and utter disregard for India’s constitutional scheme. In recent constitutional history, this is perhaps most noticeable in the anti-defection cases, (beginning with Kihoto Hollohan in 1992); and, in the SR Bommai case in 1994, on the imposition of the President’s rule in states.

In hindsight, although India has benefited from the Court’s action in the Bommai and Hollohan cases, it is unlikely that the passage of the Aadhaar Act as a ‘money bill’, reprehensible as it is, meets the threshold required for the Court’s intervention in Parliamentary procedure.

Besides, the manner of its passage, the Act warrants

• Censure for its process
• Its (in)compatibility with fundamental rights
• The failure to incorporate the suggestions of the Yashwant Sinha-led Standing Committee to UPA’s NIDAI Bill
• The possibility of surveillance that it presents
• The lack of measures to protect personal information
• Its inadequate privacy safeguards
• The questions around the realisation of its stated purpose.

Instead, a part of the Aadhaar debate has involved political one-upmanship between the Congress and the BJP, pitting the former’s NIDAI Bill against the latter’s Aadhaar Act.

While an academic comparison between the two is welcome, its use as a tool for political supremacy would be laughable, were it not deeply problematic, given the many serious concerns highlighted above.

Better Than UPA Bill?

The Act may have more privacy safeguards than the earlier UPA Bill. (Photo: iStockphoto)

And while the Act may have more privacy safeguards than the earlier UPA Bill, critics have argued that they not up to the international standard, and instead, that they are plagued by opacity.

Additionally, despite claims that the Act is a significant improvement over the UPA Bill, it fails to address concerns, including around the centralised storage of information, that were raised by civil society members and others.

Perhaps most problematically, however, the Act takes away an individual’s control of her own information. Subsidies, government benefits and services are linked to the mandatory possession of an Aadhar number (Section 7 of the Act), effectively negating the ‘freedom’ of voluntary enrollment (Section 3 of the Act). This directly contradicts the recommendations of the Justice AP Shah Committee, before whom the Unique Identification Authority of India had earlier stated that enrollment in Aadhaar was voluntary.

To make matters worse, the individual does not have the authority to correct, modify or alter her information; this lies, instead, with the UIDAI alone (Section 31 of the Act). And the sharing of such personal information does not require a court order in all cases.

Kanhaiya Kumar speaking in JNU on 3 March 2016. (Photo: PTI)

These recent events around Aadhaar have only underscored the dire urgency for comprehensive privacy legislation in India and, the need to overhaul our data protection laws to meet our constitutional commitments along with international standards.

On the 6th of March, 2016, Sunday, at about 10 am in the gNSO working session being conducted at the room Diamant, I was sexually harassed by someone from the private sector constituency named Khaled Fattal. He approached me, pulled at my name tag, and passed inappropriate remarks. I felt like my space and safety as a young woman in the ICANN community was at stake.

I had incidentally been in discussion with the ICANN Ombudsman on developing a clear and coherent sexual harassment policy and procedure for the specific purposes of ICANN’s public meetings. Needless to say, this incident pushed me to take forward what had hitherto been a mere academic interest with increased vigour. I was amazed, firstly that the office of the ombudsman only had two white male members manning it. I was initially inhibited by that very fact, but made two points before them:

1. With respect to action on my individual case.
2. With respect to the development of policy in general.

I would like to put on record that the ombudsman office was extremely sympathetic and gave me a thorough hearing. They assured me that my individual complaint would be recorded, and sought to discuss the possibility of me raising a public statement with respect to policy, as they believed that the Board would be likely to take this suggestion up from a member of the community. I was also informed, astoundingly, that this was the first harassment case reported in the history of ICANN.

I then, as a newcomer to the community, ran this idea of making a public statement by no means an easy task at all, given the attached stigma that comes with being branded a victim of a sexual crime by certain senior people within ICANN who had assured me that they would take my side in this regard. To my dismay, there were two strong stands of victim blaming and intimidation that I faced I was told, in some cases by extremely senior and well respected, prominent women in the ICANN community, that raising this issue up would demean my credibility, status and legitimacy in ICANN, and that my work would lose importance, and I would “...forever be branded as THAT woman.” My incident was also trivialised in offhand casual remarks such as “This happened because you are so pretty”, “Oh you filed a complaint, not against me I hope, ha ha” which all came from people who are very high up in the ICANN heirarchy. I was also asked if I was looking for money out of this. Click to read the full statement made to ICANN here.

The article was published by Livemint on March 7, 2016.

The Aadhaar Bill has been introduced as a money bill, even though it doesn’t qualify as such under Article 110 of the Constitution. If the Speaker agrees to this, it will render the Rajya Sabha toothless in this matter, and will weaken our democracy. The government should reintroduce it as an ordinary legislative bill, which is what it is.

While the government has in the past argued before the Supreme Court that Aadhaar is voluntary, Section 7 of the bill allows the government to mandate an Aadhaar number (or application for an Aadhaar number) as a prerequisite for obtaining some subsidies, benefits, services, etc. This undermines its arguments before the Supreme Court, which led the court to pass orders holding that Aadhaar should not be made mandatory. This move to make it mandatory will now need the government to argue that rather than contravene the apex court order, it has instead removed the rationale for it.

Interestingly, the Bharatiya Janata Party (BJP)-led National Democratic Alliance (NDA) government seems to have done a U-turn on the issue of the unique identification number not being proof of citizenship or domicile. The previous Congress-led United Progressive Alliance (UPA) government never meant the Aadhaar number to be proof of citizenship or domicile. This was attacked by the Yashwant Sinha-chaired standing committee on finance, which feared that illegal immigrants would get Aadhaar numbers. Now, the BJP and the NDA seem to be in agreement with the original UPA vision of Aadhaar.

Importantly, there is very strong language when it comes to the issue of privacy and confidentiality of the information that is held by the Unique Identification Authority of India (UIDAI). Section 29 (1), for instance, says that no biometric information will be shared for any reason whatsoever, or used for any purpose other than Aadhaar number generation and authentication. However, that provision is undermined wholly by Section 33, which says that “in the interest of national security”, the biometric info may be accessed if authorized by a joint secretary. This will only fan the fears of those who have argued that the real rationale for Aadhaar was not, in fact, delivery of services, but to create a national database of biometric data available to government snoops.

Also Read

• Pros and cons of Aadhaar bill

Further, there are no remedies available for governmental abuse of this provision.

Lastly, in terms of privacy, the concern of those people who have been opposing Aadhaar is not just that the biometric and other identity information may be leaked to private parties, but also that having a unique Aadhaar number helps private parties to combine and use other databases that are linked with Aadhaar numbers in a manner that is not within the subject’s control. This is not at all addressed in this bill, and we need a robust data protection law in order to do that.

There are some other crucial details that the law doesn’t address: Is user consent, to be taken by third parties that use the UID database for authentication, needed for each instance of authentication, or would a general consent hold forever? How can consent be revoked?

There were many other objections that were raised against the Aadhaar scheme that have not been addressed by the government. For instance, in a recent article in the Economic and Political Weekly, Hans Varghese Mathews points out that going by the test data UIDAI made available in 2012, for a population of 1.3 billion people, the incidence of false positives—the probability of the identities of two people matching—is 1/112.

This is far too high a ratio to be acceptable.

Actual data from the field in Andhra Pradesh—of people who were unable to claim rations under the public distribution system (PDS)—paints a worse picture. A survey commissioned by the Andhra Pradesh government said 48% of respondents pointed to Aadhaar-related failures as the cause of their inability to claim rations.

So, even if the Aadhaar numbers were no longer issued to Lord Hanuman (Rajasthan), to dogs (e.g., Tommy Singh, a mutt in Madhya Pradesh), and with photos of a tree (New Delhi), it might not prove to be usable in a country of India’s size, given the capabilities of the fingerprint machines. As my colleague Sunil Abraham notes, the law cannot fix technological flaws.

So, while one wishes one could welcome the government’s attempt to bring Aadhaar within a legislative framework, the fact is there are too many problems that still remain unaddressed for one to be optimistic.

Pranesh Prakash is policy director at the Centre for Internet and Society, a think tank.

To comment on and/or download the file, click here.

Download the file: PDF.

Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.

In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("IT Act ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules"). Section 43A of the IT Act, 2000 holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.

Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.

In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.

1. Compensation and Penalty

Section 43A: Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.

Aadhaar Act : Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.

• Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
• Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI.
• Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository.
• Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
• Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
• Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.

2. Privacy Policy

IT Rules: Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.

Aadhaar Act: Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.

Implications: Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.

3. Consent

IT Rules: Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

Aadhaar Act: The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).

Implications: If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.

4. Collection Limitation

IT Rules: Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.

Aadhaar Act: Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.

5. Notice

IT Rules: Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:

• The fact that information is being collected
• The purpose for which the information is being collected
• The intended recipients of the information
• The name and address of the agency that is collecting the information
• The name and address of the agency that will retain the information

Aadhaar Act: Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.

6. Retention Limitation

IT Rules: Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

Aadhaar Act: The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.

7. Purpose Limitation

IT Rules: Rule 5(5) requires that information must be used for the purpose that it was collected for.

Aadhaar Act Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.

Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

8. Right to Access and Correct

IT Rules : Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.

Aadhaar Act : The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.

9. Right to 'Opt Out' and Withdraw Consent

IT Rules: Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.

Aadhaar Act: The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.

10. Grievance Officer

IT Rules: Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.

Aadhaar Act: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.

11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure

IT Rules: Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.

Aadhaar Act: Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.

12. Requirements for Transfer of Sensitive Personal Data

IT Rules : Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

Aadhaar Act : The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.

13. Security of Information

IT Rules: Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.

Aadhaar Act: Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.

Implications of the Differences for Body Corporates in Aadhaar Ecosystem

An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other.

Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.

Appendix I

The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:

i. Opt-out clause: A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.

ii. Voluntary: To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.

iii. Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.

iv. Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.

v. Oversight Committee: The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.

Sources:

• http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-act-to-lok-sabha-with-oppn-amendments/
• http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/
  
  

Appendix II - Section 43A: Compensation for Failure to Protect Data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

For the purposes of this section:

• "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
• "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
• "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.
  
  

The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities"

Originally published in and cross-posted from The Wire.

Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.

The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.

The Aadhaar number has been recently offered as the ‘last chance’ for the ailing welfare system – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.

Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.

We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.

Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging ‘unrest at the ration shop’ across Rajasthan, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.

RTI activists at the Satark Nagrik Sangathan have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).

Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, may only take care of one form of corruption: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.

Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.

On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and has allowed for sharing of all data except core biometrics (fingerprints and iris scan) with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.

On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.

When it becomes publicly acceptable that the money bill route was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: welfare is the message, surveillance is the medium.

Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.

The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.

Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.

A response to the RTI is here.

1. The various government, private industry and civil society actors involved in the Smart Cities Mission.
2. The various agreements the Government has undertaken through PPP’s for financing the mission.
3. Role of private companies in this project.
4. The process for selecting the cities for this mission and ministry responsible for this task.
5. The various international organisations, foreign governments and multilateral bodies that will provide technical and financial assistance for this project.

The MoUD sent its reply to the RTI application and the response is as follows:

• With reference to the first query, the answer provided was that the mission statement and guidelines are available on the Missions website - smartcities.gov.in. This mission statement essentially envisages the role of citizens/citizen groups such as Resident Welfare Associations, Taxpayers Associations, Senior Citizens and Slum Dwellers Associations etc, apart from the government of India, States, Union Territories and Urban local bodies.
• Regarding information about agreements for the purpose of financing the project, it has been provided in the response that the Ministry would facilitate the execution of MoU’s between Foreign Agencies and States/UT’s for assistance under this mission. The two agreements that have been executed include the MoU between the United States Trade and Development Agency (USTDA) and the French Agency for Development (AFD) for the States/UT’s of Andhra Pradesh, Uttar Pradesh, Rajasthan, Maharashtra, Chandigarh and Puducherry. They have also provided us with copies of the same and they have been summarised below. They also go on to state that various countries like Spain, Canada, Germany, China, Singapore, UK and South Korea have also shown interest in collaborating with the Ministry for the development of Smart Cities.
• CIS sought the documents relating to role of private actors in this field. This information could not be provided by the Department since it was not available with them. Further, an application has been sent to the SC-III Division for providing the information directly to us.
• As regards the fourth query, the information provided states that the role of the government, States/UT’s and Urban Local Bodies has been envisaged in para 13 of the Smart Cities Mission Statement - smartcities.gov.in
• With respect to the query regarding the foreign actors involved, the information provided states that the documents relating to the involvement of the same are scattered in different files. Compilation of such information would divert the limited resources of the Public Authority disproportionately. Another application must be filed if any specific information is required.

Copies of several MoUs signed between Foreign Development Agencies and States (for the respective cities) that were shared with us are:

• Memorandum of Understanding between the United States Trade and Development Agency(USTDA) and the Government of Andhra Pradesh of the Republic of India on Cooperation to support the development of Smart Cities in Andhra Pradesh-namely Visakhapatnam.
• Memorandum of Understanding between the United States Trade and Development Agency (USTDA) and the Government of Rajasthan of the Republic of India on Cooperation to support the development of Smart Cities in Rajasthan- namely Ajmer.
• Memorandum of Understanding between the United States Trade and Development Agency (USTDA) and the Government of Uttar Pradesh of the Republic of India on Cooperation to support the development of Smart Cities in Uttar Pradesh- namely Allahabad.
• Memorandum of Understanding between the Agence Francaise De Developpement and the Government of the Union Territory of Chandigarh of the Republic of India on Technical Cooperation in the field of Sustainable Urban Development.
• Memorandum of Understanding between the Agence Francaise De Developpement and the Government of Maharashtra on Technical Cooperation in the field of Sustainable Urban Development.
• Memorandum of Understanding between the Agence Francaise De Developpement and the Government of the Union Territory of Puducherry of the Republic of India on Technical Cooperation in the field of Sustainable Urban Development.

Key clauses under the MoU between the United States Trade and Development Agency (USTDA) and the governments of Andhra Pradesh, Rajasthan and Uttar Pradesh are:

• The MoU undertaken by the USTDA for the development of Visakhapatnam, Allahabad and Ajmer clearly establishes that the document only cements the intention of the body to assist in the development of these cities and funding must be addressed separately.
• The USTDA intends to contribute specific funding for feasibility studies, study tours, workshops/training, and any other projects mutually determined, in furtherance of this interest. The USTDA will also fund advisory services for the same.
• The USTDA will seek to bring in other US government agencies such as the Department of Commerce, the US Export Import Bank and other trade and economic agencies to encourage US-India infrastructure development cooperation and support the development of smart cities in Vishakhapatnam, Allahabad and Ajmer.
• One of the key points the USTDA stresses on is the creation of a Smart Solutions for Smart Cities Reverse Trade Mission, where Indian delegates will get a chance to showcase their methodologies and inventions in the United States.
• The MoU also talks about involving industry organisations in the development of Smart Cities, to address important aviation and energy related infrastructure connected to developing smart cities.
• The respective State Governments of the cities will provide resources for the development of these smart cities, including technical information and data related to smart cities planning; staff, logistical and travel support, and state budgetary resources will be allocated accordingly.

Key clauses under the MoU between the Agency Francaise De Developpement (AFD) and the governments of Maharashtra, Chandigarh and Puducherry are:

• The MoU with AFD is along the same lines but with more detail provided in the field of research in sustainable urban development. It comprises of four articles dealing with implementation, research, resource allocation and cooperation.
• The AFD clearly states that it will adopt an active role in managing and implementing the project.
• The AFD will equip the respective state governments with a technical cooperation programme which will include a pool of French experts from the public sector, complemented by experts from the private sector.
• The MoU goes on to state the various vectors of sustainable urban development that will be the focal point of this project – urban transport, water and waste management, integrated development and urban planning, architecture and heritage, renewable energy, energy efficiency etc.
• Apart from strategizing, the AFD looks to provide technical support as well. This technical expertise would be used to strengthen strategy and management of urban services in the city.
• They would also play a key role in management through the creation of a Special Purpose Vehicle(SPV) to build strategic management (Human Resources, finance, potential market assessment) and capacity building for financial management.
• As per Article II of the MoU, this support framework will be accompanied by annual reviews, a policy similar to the USTDA Smart Solutions for Smart Cities Reverse Mission with Indian and French counterparts, collaboration between academic and research institutions for the exchange of information, documentation and results of research in the field of smart cities (a key policy to establish firm research groundwork and increase cooperation and innovation), capacity building research and development.
• Article III of the MoU deals with resource allocation wherein the respective State Governments will assist AFD by providing technical information and data related to smart cities planning, and also meet their logistical requirements.
  
  

Download the infographic: PDF and JPG.

License: It is shared under Creative Commons Attribution 4.0 International License.

Download the infographic: PDF and JPG.

License: It is shared under Creative Commons Attribution 4.0 International License.

Originally published by The Wire on April 24, 2016.

Since its introduction as a money bill in the Lok Sabha in the first week of March [1], the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Bill, 2016 has been embroiled in controversy. The Lok Sabha rejected the five recommendations of the Rajya Sabha and adopted the bill on March 16 and only presidential assent was required for it become to become valid law. However, former Union Minister Jairam Ramesh filed a writ petition contesting the decision to treat the Aadhaar Bill as a money bill. The petition is due to be heard before the Supreme Court on April 25, and should the court decide to entertain the petition, it could have far-reaching implications for the Aadhaar project and the manner in which money bills are passed by the Parliament.

There are three broad categories of bills (all legislations or Acts are known as ‘bills’ till they are passed by the Parliament) that the Parliament can pass. The first kind, Constitution Amendment Bills, are those that seek to amend a provision in the Constitution of India. The second are financial bills which contain provisions on matters of taxation and expenditure. Money bills are a subset of the financial bills which contain provisions only related to taxation, financial obligations of the government, expenditure from or receipt to the Consolidated Fund of India and any matters incidental to the above. The third category is of ordinary bills which includes all other bills. The process for the enactment of all these bills is different. Money bills are peculiar in that they can only be introduced in the Lok Sabha where it can be passed by simple majority. Following this, it is transmitted to the Rajya Sabha. The Rajya Sabha’s powers are restricted to giving recommendations on the Bill and sending it back to the Lok Sabha, which the Lok Sabha is under no obligation to accept. The decision to introduce the Aadhaar Bill as a money bill has been widely seen as an attempt to circumvent the Rajya Sabha where the ruling party is in a minority.

Article 110 (1) of the Constitution defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to them. These are a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. Article 110 is modelled on Section 1(2) of the (UK) Parliament Act, 1911 which also defines the money bills as those only dealing with certain enumerated matters. The use of the word “only” was brought up by Ghanshyam Singh Gupta during the Constituent Assembly Debates. He pointed out that the use of the word “only” limits the scope of money bills to only those legislations which did not deal with other matters. His amendment to delete the word “only” was rejected clearly establishing the intent of the framers of the Constitution to keep the ambit of money bills extremely narrow.

While the Aadhaar Bill does make references to benefits, subsidies and services funded by the Consolidated Fund of India (CFI), even a cursory reading of the bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money bill. The bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, ‘Parliamentary Practice” is instructive in this respect and makes it clear that a legislation which simply makes a charge on the Consolidated Fund does not becomes a money bill if otherwise its character is not that of one.

PDT Achary, former secretary general of the Lok Sabha, has expressed concern about the use of Money Bills as a means to circumvent the Rajya Sabha. He has written here [2] and here [3], on what constitutes a money bill and how the attempts to pass off financial bills like the Aadhaar Bill as money bills could erode the supervisory role Rajya Sabha is supposed to play. This is especially true in the case of a legislation like the Aadhaar Bill which has far reaching implications for individual privacy as it governs the identification system conceptualised to provide a unique and lifelong identity to residents of India dealing with both the analog and digital machinery of the state and by virtue of Section 57 of any private entities. Already over 1 billion people have been enrolled under this identification scheme, and the project has been a subject of much debate and a petition before the Supreme Court. The project has been portrayed as both the last hope for a welfare state and surveillance infrastructure. Regardless of which of the two ends of spectrum one leans towards, it is undeniable that the law governing the Aadhaar project deserved a proper debate in the Parliament. Even those who are strong proponents of the project must accept the decision to pass it off as a money bill undermines the importance of democratic processes and is a travesty on the Constitution and a blatant abrogation of the constitutional duties of the speaker.

The petition by Jairam Ramesh would hinge largely on the powers of the judiciary to question the decision of the Speaker of the Lok Sabha. Article 110 (3) is very clear in pronouncing the authority of the Speaker as final and binding. Additionally, Article 122 prohibits the courts from questioning the validity of any proceedings in Parliament on the ground of any alleged irregularity of procedure. The powers of privilege that Parliamentarians enjoy are integral to the principle of separation of powers. However, the courts may be able to make a fine distinction between inquiring into procedural irregularity which is prohibited by the Constitution; and questioning an incorrect application of substantive principles, which I would argue, is the case with the Speaker decision.

References

[1] See: http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/.

[2] See: http://indianexpress.com/article/opinion/columns/show-me-the-money-4/.

[3] See: http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece.

The article by Elonnai Hickok and Vanya Rakesh was published by Dataquest on April 25, 2016

Smart grid is a promising power delivery infrastructure integrated with communication and information technologies which enables monitoring, prediction and management of energy usages. Establishment of smart grids becomes highly important for the Indian economy, as the present grid losses are one of the highest in the world at upto 50% and costing India upto 1.5% of its GDP. India operates one of the largest synchronous grids in the world – covering an area of over 3 million sq km, 260 GW capacity and over 200 million customers with the estimated demand of India increasing 4 times by the year 2032.

In the year 2013, the Ministry of Power (MoP), in consultation with India Smart Grid Forum and India Smart Grid Task Force released a smart grid vision and roadmap for India, a key policy document aligned to MoP’s overarching objectives of “Access, Availability and Affordability of Power for All”. It lays plans for a framework to address cyber security concerns in smart grids as well. To achieve goals envisaged in the roadmap, the Government of India established the National Smart Grid Mission in the year 2015 for planning, monitoring and implementation of policies and programs related to Smart Grid activities.

A number of smart grid projects have been introduced, and are currently underway. KEPCO in Kerala has established smart meter/intelligent power transmission and distribution equipment system in the year 2011 and the smart grid operations focus on peak reduction, load standardization, reduction in power transmission/distribution loss, response to new/renewable energy and reduction in black-out time. Gujarat was introduced to India’s first modernized electrical grid in the year 2014, to study consumer behaviour of electricity usage and propose a tariff structure based on usage and load on the power utility by installing new meters embedded with SIM card to monitor the data. The Bangalore Electricity Supply Company Ltd. (BESCOM) project in Bangalore envisaged the Smart Grid Pilot Project for integration of renewable and distributed energy resources into the grid, which is vital to meet growing electricity demands of the country, curb power losses, and enhance accessibility to quality power.

Cybersecurity challenges

At the same time, the introduction of a smart grid brings with it certain security risks and concerns, particularly to a nation’s cyber security. Increased interconnection and integration may render the grids vulnerable to cyber threats, putting stored data and computers at great risk.With sufficient cyber security measures, policies and framework in place, a Smart Grid can be made more efficient, reliable and secure as failure to address these problems will hinder the modernization of the existing power system. Smart Grids, comprising of numerous communication, intelligent, monitoring and electrical elements employed in power grid, have a greater exposure to cyber-attacks that can potentially disrupt power supply in a city.

Initiatives in India

The National Cyber Security Policy 2013 was released with an umbrella framework for providing guidance for actions related to security of cyberspace, by the Department of Electronics and Information Technology (DeitY). The Working Group on Information Technology established under the Planning Commission has also published a 12 year plan on IT development in India with a road map for cyber security, stating six key priority and focus areas for cyber security including:Enabling Legal Framework ; Security Policy, Compliance and Assurance; Security R&D; Security Incident – Early Warning and Response ; Security awareness, skill development and training, and Collaboration.

In case of Bangalore, to ensure smooth implementation of BESCOM’s vision, the company realised the need to put a cyber-security system in place to protect the smart grid installations in Bangalore city. To ensure security, BESCOM has come out with a separate IT security policy and dedicated trained IT cadre to safeguard its data and servers, becoming one of the few Discoms in India to take such measures for safeguarding the servers and data network from cyber crimes and threats.

Way forward

An electric system like Smart grids has enormous and far-reaching economic and social benefits. However, increased interconnection and integration tends to introduce cyber-vulnerabilities into the grid. With the evolution of cyber threats/attacks over time, it can be said that there are a lot of challenges for implementing cyber security in Indian smart grid. Considering importance of secure smart grid networks for flagship projects in India, the existing regulatory framework does not seem to adequately take into consideration the cyber security implications.

In light of this, the government must aim to develop and adopt high level cybersecurity policy to withstand cyber-attacks. Also, India must focus on skills development in this domain and have a capable workforce to achieve the targets set by Indian Government. The country must look up to develop an overall intelligence framework that brings together industry, governments and individuals with specific capabilities for this purpose.

The National Cyber Security Policy 2013, protecting public and private infrastructure from cyber attacks, along with all kinds of information, such as personal information of web users, banking and financial information,etc. is yet to be implemented by the Government properly. In the Indian Power sector, the cyber security regulations or mandates are absent in the National Electricity Policy (NEP) as well as the Electricity Act 2003 and its amendment in 2007, with no reference to cyber security concerns. These key legislations must be amended to take into account the growing challenges due to increased use of ICT in the power sector.

Apart from policy and regulatory measure, the system on which the smart grids are built and networked must be made architecturally strong and secure.One of the areas where due attention is required is making the Supervisory Control and Data Acquisition (SCADA) secure, a system that operates with coded signals to provide control of remote equipment and is entirely based on computer systems and network. Numerous systems also employ the Public Key Infrastructure (PKI) to secure the Smart Grids and address the security challenges by enabling identification, verification, validation and authentication of connected meters for network access. This can be leveraged for securing data integrity, revenue streams and service continuity. The key vulnerable areas prone to cyber attacks on information transmission are network information, data integrity and privacy of information. The information transmission networks must be well-designed as the network unavailability may result in the loss of real-time monitoring of critical smart grid infrastructures and power system disasters.

Addressing these fast growing challenges and cyber security needs of the country by adopting suitable regulatory, policy and architectural steps would help achieve the objectives of Digital India and Smart Cities enabling “Access, Availability and Affordability for All”.

Nehaa Chaudhari provided inputs and also edited the blog post. Click to download the File.

Several instances of the online privacy intrusion by the content producers have been recorded. In such a scenario the balancing the rights of the content producers and the end users becomes an important one. It is imperative to find a common ground to safeguard the interests of both the parties involved. In the recent past DRM has been receiving a lot of flak because of the privacy issues contented by the users.

In the most rudimentary form privacy can be explained as any information about an individual which he/she does not want to be made public. It is important to mention that this information is seen from the perspective of an ordinary reasonable person. The UN Declaration of Human Rights, 1948, defines privacy as a fundamental right of every human. The functioning of the DRM is based on restricting the usage or distribution of the content. Since this restriction is only possible after there is a formal identification of the end user, the content producers end up collecting information about the users. For example: a DRM for a music file might work in a manner where it can only be accessed by one computer from which the user accesses and registers for the first time. DRMs initially identify the IP addresses of the system and make the file functioning on only that IP address. In this way the producer ends up collecting information about the end user. Different DRM models take different ways to collect information of their user. While collecting IP addresses in one of them the other way is tracking the user information via download, browsing activities, subscription service, etc. The usage log of the users is generated and becomes a valuable asset to assess and predict the preferences of the users

Two contentions of privacy have been raised on the privacy issues of DRM -

a) What is the accountability of this process and

b) Whether it puts the content producers in a position where they can control the users.

The information collected is under the control of content producers, who mostly store this information in the form database. BEUC (European Consumer Organization) claimed that the DRM systems technologically enable content providers to monitor private consumption of content, create reports of consumption, and profile users.

The information is at the disposal of the content producers. An assessment of DRM applications under Canadian Privacy showed that the firms did not even recognise privacy issues of the customers as a priority. In fact the firms failed to provide the information that was stored in their databases. This gives an idea about the lack of transparency that exists in collecting the information about users. The question whether users are aware of what information is being collected and to what extent they are being tracked online remains unanswered. The CEN/ISSS (European Committee for Standardization/ Information Society Standardisation System) pointed out that DRMs have a large potential to transmit, generate personal information about users. It has also been characterized by unprecedented levels of monitoring by various content producers.

Further the principled level argumentation to this is on lines of collection of information without any authentication from the user herself/himself. It is essential that if any information is collected or saved by the producers it should only be after taking consent of the user. Surveillance and compelled disclosure of information about intellectual consumption threaten rights to personal integrity.

DRMs take away the anonymity of the consumption. Since the producers can practically monitor the content usage of the user, this has led to wide scale of price discrimination. This means that producers would monitor and assess the preferences of the user and subsequently raise the prices of that particular class of products. In the report of FIPR (Foundation of Information Policy and Research) it was found that Microsoft had been trying to implement their DRM systems in their products using a similar approach to gain a monopoly position as in their strategy of browser implementation.

The Sony BMG copy protection rootkit scandal in 2005 brought much criticism to DRM. It was found out that Sony BMG had introduced illegal and harmful copy protection measure in its CDs. The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. Further more than just the DRM part of it the software also made the user's system open to a number of malwares and created vulnerabilities in the system. Sony was eventually made to compensate consumer costs, etc on the same. However the question of whether the database in the hands of companies can be used in arbitrary manner was intensely discussed after this.

It is essential that an effective framework is brought into effect which caters to privacy interests of the users. Privacy is the basic human right and it is the onus of the State to protect and safeguard this right. It is essential that the State does not compromise and support mechanisms which promote the welfare of the content producers over the users. The balance of users and producers becomes all the more important in a developing country like ours. The lack the awareness and the knowledge coupled with increasing usage of internet can lead to the exploitation of many. It is essential that the States see through these problems and collectively find an all encompassing solution to it.

Published by and cross-posted from The Wire.

The Aadhaar Act 2016, passed in the Lok Sabha on March 16, 2016, faced opposition ever since it was tabled in parliament. In particular, the move to introduce it as a money bill has been vehemently challenged on grounds of this being an attempt to bypass the Rajya Sabha completely. A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view.

It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation.

The money bill question

M.R. Madhavan has argued that the Aadhaar Act contains matters other than “only” those incidental to expenditure from the consolidated fund, as it establishes a biometrics-based unique identification number for beneficiaries of government services and benefits, but also allows the number to be used for other purposes beyond service delivery. While Pratap Bhanu Mehta calls this a subversion of “the spirit of the constitution”, P.D.T. Achary, former secretary general of the Lok Sabha, expressed concern about the attempts to pass off financial bills like Aadhaar as money bills as a means to circumvent and erode the supervisory role of the Rajya Sabha. Arvind Datar has further emphasised that when the primary purpose of a bill is not governed by Article 110(1), then certifying it as a money bill is an unconstitutional act.

Article 110(1) of the Constitution identifies a bill as a money bill if it contains “only” provisions dealing with the following matters, or those incidental to them:

1. imposition and regulation of any tax,
2. financial obligations undertaken by Indian Government,
3. payment into or withdrawal from the Consolidated Fund of India (CFI) or Contingent Fund of India,
4. appropriation of money and expenditure charged on the CFI or receipt, and
5. custody, issue or audit of money into CFI or public account of India.

However, the link of the Act with the Consolidated Fund of India is rather tenuous, since it depends on the Union or state governments declaring a certain subsidy to be available upon verification of the Aadhaar number. The objectives and validity of the Act would not actually change if the Aadhaar number no longer was directly connected to the delivery of services. The use of the word “if” in section 7 explicitly leaves scope for a situation where the government does not declare an Aadhaar verification as necessary for accessing a subsidy. In such a scenario, the Act will still be valid but without any formal connection with any charges on the Consolidated Fund of India.

A case of procedural irregularity?

The constitution of India borrows the idea of providing the speaker with the authority to certify a bill as money bill from British law, but operationalises it differently. In the UK, though the speaker’s certificate on a money bill is conclusive for all purposes under section 3 of the Parliament Act 1911, the speaker is required to consult two senior members, usually one from either side of the house, appointed by the committee from amongst those senior MPs who chair general committees. In India, the speaker makes the decision on her own.

Although article 110 (3) of the Indian constitution states that the decision of the speaker of the Lok Sabha shall be final in case a question arises regarding whether a bill is a money bill or not, this does not restrict the Supreme Court from entertaining and hearing a petition contesting the speaker’s decision. As the Aadhaar Act was introduced in the Lok Sabha as a money bill even though it does not meet the necessary criteria for such a classification, this treatment of the bill may be considered as an instance of procedural irregularity.

There is ample jurisprudence on what happens when the Supreme Court’s power of judicial review comes up against Article 122 – which states that the validity of any proceeding in the parliament can (only) be called into question on the grounds of procedural irregularities. In the crucial judgment of Raja Ram Pal vs Hon’ble Speaker, Lok Sabha and Others (2007), the court evaluated the scope of judicial review and observed that although parliament is supreme, unlike Britain, proceedings which are found to suffer from substantive illegality or unconstitutionality, cannot be held protected from judicial scrutiny by article 122, as opposed to mere irregularity. Deciding upon the scope for judicial intervention in respect of exercise of power by the speaker, in Kihoto Hollohan vs Zachillhu and Ors. (1992), the Supreme Court held that though the speaker of the house holds a pivotal position in a parliamentary democracy, the decision of the speaker (while adjudicating on disputed disqualification) is subject to judicial review that may look into the correctness of the decision.

Several past decisions of the Supreme Court discuss how the tests of legality and constitutionality help decide whether parliamentary proceedings are immune from judicial review or not. In Ramdas Athawale vs Union of India (2010), the case of Keshav Singh vs Speaker, Legislative Assembly (1964) was referred to, in which the judges had unequivocally upheld the judiciary’s power to scrutinise the actions of the speaker and the houses. It was observed that if the parliamentary procedure is illegal and unconstitutional, it would be open to scrutiny in a court of law and could be a ground for interference by courts under Article 32, though the immunity from judicial interference under this article is confined to matters of irregularity of procedure. These observations were reiterated in Mohd. Saeed Siddiqui vs State of Uttar Pradesh (2014) and Yogendra Kumar Jaiswal vs State of Bihar (2016).

Thus, the decision of the Lok Sabha speaker to pass and certify a bill as a money bill is definitely not immune from judicial review. Additionally, the Supreme Court has the power to issue directions, orders or writs for enforcement of rights under Article 32 of the constitution, therefore, allowing the judiciary to decide upon the manner of introducing the Aadhaar Act in parliament.

National implications demand public deliberation

As the provisions of the Aadhaar Act have far reaching implications for the fundamental and constitutional rights of Indian citizens, the Supreme Court should look into the matter of its identification and treatment as a money bill and whether such decisions lead to the thwarting of legislative and procedural justice.

The Supreme Court may also take this opportunity to reflect on the very decision making process for classification of bills in general. As Smarika Kumar argues, experience with the Aadhaar Act reveals a structural concern regarding this classification process, which may have substantial implications in terms of undermining public and parliamentary deliberative processes. This “trend,” as Arvind Datar notes, of limiting legislative discussions and decisions of national importance within the space of the Lok Sabha must be swiftly curtailed.

Apart from deciding upon the legality of the nature of the bill, it is vital that the apex court ask the government to categorically respond to the concerns red-flagged by the Standing Committee on Finance, which had taken great exception to the continued collection of data and issuance of Aadhaar numbers in its report, and to the recommendations passed in the Rajya Sabha recently. Further, the repeated violation of the Supreme Court’s interim orders – that the Aadhaar number cannot be made mandatory for availing benefits and services – in contexts ranging from marriages to the guaranteed work programme should also be addressed and responses sought from the Union government.

Evidently, the substantial implications of the Aadhaar Act for national security and fundamental rights of citizens, primarily privacy and data security, make it imperative to conduct a duly balanced public deliberation process, both within and outside the houses of parliament, before enacting such a legislation.

The judgment on the plea to de-criminalise defamation is out and despite its verbosity and rich vocabulary is an embarrassment to our recent judicial milestone of constitutional challenges. In the case of Subramanian Swamy vs. Union of India, a two judge bench headed by Justice Dipak Misra, has upheld the constitutionality of Section 499 and Section 500 of Indian Penal Code, 1860 (IPC) and Section199 of Code of Criminal Procedure, 1973 (CrPC) that criminalise defamation.

The judgment has not satisfactorily answered several pertinent questions. Various significant issues relating to the existing regime of defamation have been touched upon in the judgment but the bench has skipped the part where it is required to analyse and give its own reasoning for upholding or reading down the law. This post points out what should have been looked at.

A. Whether defamation is a public or a private wrong?  What is the State’s interest in protecting the reputation of an individual against other private individuals? Is criminal penalty for defamatory statements an appropriate, adequate or disproportionate remedy for loss of reputation?

At the core of the debate to decriminalise defamation lies the question, whether defamation is a public or a private wrong. The question was raised in the Subramanian Swamy case and the court held that defamation is a public wrong. Our problem with the court’s decision lies in its failure to provide a sound and comprehensive analysis of the issue. In order to understand whether defamation is a public or a private wrong, it is necessary that we look at what reputation means, what happens when reputation is harmed and whose interests are affected by such harm.

Reputation is not defined in law, however the Supreme Court has held that reputation is a right to enjoy the good opinion of others and the good name, the credit, honour or character which is derived from such favourable public opinion. The definition reflects several elements that constitute reputation which when harmed have different bearing on the reputation of an individual. Academic Robert C Post in his paper, The Social Foundations on Defamation Law: Reputation and Constitution, says that reputation can be understood as a form of intangible property akin to goodwill or as dignity (the respect including self-respect that arises from observance of rules of the society). While reputation when seen as property can be estimated in money and thus adequately compensated through a civil action for damages, loss of dignity is not a materially quantifiable loss, and thus, monetary compensation appears irrelevant. The purpose of the defamation law could either be to ensure that reputation is not wrongfully deprived of its proper market value or the respect/acceptance of the society. Explanation 4 to Section 499 of the IPC accommodates both such situations and provides that reputation is harmed if it directly or indirectly, in the estimation of others, lowers the moral or intellectual character of that person, or lowers the character of that person in respect of his caste or of his calling, or lowers the credit of that person, or causes it to be believed that the body of that person is in a loathsome state, or in a state generally considered as disgraceful.

Post adds that an individual’s reputation is a product of his interaction with the society by following the norms of conduct (which he calls rules of civility) created by the society, thus the society has an interest in enforcing its rules of civility through defamation law by policing breaches of these rules. Criminal defamation acknowledges that loss of reputation is a wrong to the societal interests; however these interests have not been deliberated upon by the courts in India.

The Subramanian Swamy case was an occasion where, it was imperative that the court took up this exercise and explained what interest the society had in protecting the reputation of an individual for it to be classified as a public wrong. The court stated, “the law relating to defamation protects the reputation of each individual in the perception of the public at large. It matters to an individual in the eyes of the society. There is a link and connect between individual rights and the society; and this connection gives rise to community interest at large. Therefore, when harm is caused to an individual, the society as a whole is affected and the danger is perceived” With this reasoning it can be inferred that the society has an interest in all private wrongs. Where would that inference land us? This reasoning is ambiguous and inadequate.

On the other hand, criminal penalty for perfectly private wrongs such as copyright infringement and dishonour of cheques urges us to ask if there is a problem with the rigid distinction of public and private wrongs. Should we be asking the question differently?

The judgment has provided extremely inadequate answers to this question and has left matters ambiguous.

B. Can the right to reputation under Article 21 be enforced against another individual’s freedom of expression and are safeguards already built in law so as not to unreasonably restrict and stifle free expression in this regard?

Defamation finds a place in the list of constitutionally allowed restrictions on freedom of speech under Article 19 (2). Defamation protects the right to reputation of an individual thus free expression by this reason is subject to the right to reputation of an individual. The court had repeatedly observed that right to reputation is a part of the right to life under Article 21 of the Constitution. The question of enforceability of right to reputation under Article 21 against freedom of expression under Article 19 (1) (a) came into question in the instant case; it was contended that a fundamental right is enforceable against the State but cannot be invoked to serve a private interest of an individual. Thus, the right to reputation as manifested in defamation being a wrong committed against a private person by another person is unconnected and falls outside the scope of Article 19 (2). It is pertinent to note that Article 21 (which includes right to reputation) is enforceable not only against the state but also against private individuals. What is relevant here is an understanding of horizontal enforceability of fundamental rights (certain fundamental rights can be enforced against private individuals and non-state actors). This would help explain the dilemma in enforcing the right to reputation of an individual against free speech of another individual. It is vaguely mentioned in the judgment (see para 88) but has not been deliberated upon.

What follows from the discussion of enforceability of right to reputation, is the discussion on how reasonably it restricts speech. The Supreme Court has previously held that while determining reasonableness, the underlying purpose of the restrictions imposed, the extent and urgency of the evil sought to be remedied thereby, the disproportion of the imposition, the prevailing conditions at the time, should all enter into the judicial verdict. We briefly analyse the critical aspects of the regime of criminal defamation on these parameters.

Underlying purpose

At the heart of the defamation law is the need to find the most suitable remedy for loss of reputation of an individual. How does one restore reputation of an individual in the society and whether criminal penalty an appropriate remedy?

Extent of restriction

The extent to which defamation law restricts free speech could be analysed by looking at various aspects such as what kind of speech is considered defamatory, what procedure is followed to bring action against the alleged wrong doer and scope of abuse of the law. Explanation 1 to Section 499 of IPC provides that a statement or imputation is defamatory if it is not made in public good. It is not sufficient to prove that such statement or imputation is in fact true. The idea of public good is at best vague without any means to evaluate it. Further, under Section 199 of CrPC allows multiple complaints to be filed in different jurisdictions for a single offensive publication. Besides, usage of terms like “some person aggrieved” leaves room for parties other than the person in respect of whom defamatory material is published to bring action and the provision also allows the privilege of two sets of procedures for prosecution (in official capacity and in private capacity) to public servants without satisfactory reasoning provided for such discrimination. These provisions have the potential to be used to file frivolous complaints and could be a handy tool for harassment of journalists or activists among others.

Proportionality

Does the publication or imputation of defamatory material warrant payment of fine and imprisonment? Earlier in the post, we brought up the question of relevance of such measures to the act of defamation. Assuming that it is relevant, do we think it is harsh or commensurate to the wrongful act. It is necessary to look at the process of prosecution before we determine the proportionality of the restriction. Criminal law assumes that the accused is innocent until he is proven guilty. Therefore until the judiciary determines that the act of defamation was committed, how does the process help the accused in maintaining status quo.  It is also pertinent to look at the threshold for civil defamation. Under the civil wrong of defamation, truth works as a complete defence while under criminal defamation, a statement despite being true could invite penalty if it is not published in public good. Thus a lower threshold for criminal liability would upset the balance of proportionality. These aspects are critical to determine the reasonableness of criminal defamation and it is unfortunate that the judgment that runs into hundreds of pages has not evaluated them.

Conclusion

The convoluted debate on criminal defamation remains intact post the pronouncement of this judgment. Questions of competing interests of society and individuals or individuals per se, and ambiguous rationale behind imposition of liability, arbitrariness of procedure for prosecution have not been examined. Further, the hardship in compartmentalising free speech, the right to reputation and the right to privacy remains unanswered.

To,
Ministry of Health and Family Welfare,
Room 307 D,
Nirman Bhavan,
New Delhi 110108

Subject: Comments on the Electronic Health Record (EHR) Standards of India

The Electronic Health Record (EHR) Standards (hereinafter “EHR Standards”) were publicly circulated on March 18, 2016 seeking comments and views from stakeholders and the general public. Having reviewed the EHR Standards and referred to other robust standards dealing with the same subject matter, we wish to submit the following comments on the EHR Standards.

Standards and Interoperability

The EHR Standards state that the "primary aim of interoperability standards is to ensure syntactic (structural) and semantic (inherent meaning) interoperability of data amongst systems at all times" [1]. It is mentioned that set of standards outlined in this document represents an incremental approach to adopting standards and that they need to be flexible and modifiable to adapt to the demographic and resource diversity in India.

Comments:

1. The EHR Standards make a reference to syntactic and semantic interoperability without really defining these terms or stipulating clear steps for how they may be achieved. It is suggested that these terms are clearly defined. Syntactic interoperability can be defined as ensuring the preservation of the clinical purpose of the data during transmission among healthcare systems. Similarly, semantic interoperability can defined as enabling multiple systems to interpret the information that has been exchanged in a similar way through pre-defined shared meaning of concepts [2].
2. Inadequate human resource capacity remains a critical challenge to the adoption of e-health standards. The WHO and ITU eHealth Strategy Toolkit [3] recommends the development of effective health ICT workforce, capable of designing, building, operating and supporting e-health services. This workforce could participate in standards development, as well as the localization of international standards to fit a country's specific need. The EHR Standards should also include mechanisms and solutions to address these issues.

Ownership of Data

The physical or electronic records, which are generated by the healthcare provider are held in trust by them on behalf of the patient [4]. It is stated that the contained data which is sensitive personal data or personal information of the patient as per the Information Technology Act, 2000 is owned by the patients, however the medium for storage or transmission of such data is owned by the healthcare provider.

Comments:

1. Currently, the EHR Standards state that the contained data which are the sensitive personal data of the patient is owned by the patient. While medical records and history is included within the scope of sensitive personal data under the Information Technology Act, 2000, the definition of "Personal Health Information" under the EHR Standards is more expansive. Therefore, it is recommended that all Personal Health Information is deemed to be owned by the patient.
2. Currently, the EHR Standards do not clearly specify the bodies and individuals who would be subject to the requirements under this document. A definition similar to that of "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) could be used [5].

Privileges of Patient

Currently, the privileges of the patient include the rights to inspect and view their medical records. Further, the patient can request a healthcare organization that stores/maintains their medical records, to withhold specific information that they do not want disclosed to other

organizations or individuals. Also, patients can demand information from a healthcare provider on the details of disclosures performed on the patient's medical records [6].

Comments:

1. Currently, the EHR Standards only refer to "medical records" as being available for inspection and review of the patients. This should be expanded to also include information about enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan; or Other records that are used, to make decisions about individuals by healthcare providers or other bodies [7].
2. The EHR standards do not currently stipulate that the upon request by a patient, healthcare providers must exercise timeliness in providing the information to them. A time-limit such 30 calendar days should be clearly stated within which the healthcare provider must process the request.
3. The right of patients to request information from a healthcare provider on the details of disclosures should include within its scope the rights to receive the date of the disclosure; the name and address of the entity or person who received the information; a brief description of the medical information disclosed; and; a brief summary of the purpose of the disclosure [8].
4. A right to seek amendment of the one's medical records should also be provided to patients in cases where the information is incomplete.

Patient Identifying Information

Under the Standards, Personal identifiers include the following: Name, Address (all geographic subdivisions smaller than street address, and PIN code) All elements (except years) of dates related to an individual (including date of birth, date of death, etc.), Telephone, cell (mobile) phone and/or Fax numbers, Email address, Bank Account and/or Credit Card Number, Medical record number, Health plan beneficiary number, Certificate/license number, Any vehicle or other any other device identifier or serial numbers, PAN number, Passport number, AADHAAR card, Voter ID card, Fingerprints/Biometrics, Voice recordings that are non-clinical in nature, Photographic images and that possibly can individually identify the person, Any other unique identifying number, characteristic, or code [9].

Comments:

The above mentioned list is not adequate and exhaustive such as the definition and scope of Protected Health Information under the HIPAA [10]. The following identifiers must be included within the scope of Patient Identifying Information: Device identifiers and serial numbers, Web Universal Resource Locators (URLs), Internet Protocol (IP) address numbers.

Disclosure of Protected/Sensitive Information

The EHR Standards state that disclosure of protected/sensitive information for use in treatment, payments and other healthcare operations must be only done after obtaining a general consent of the patient. On the other hand, disclosures for for non-routine and most non-health care purposes must be done only after obtaining the specific consent of the patient. Only for certain specified national priority activities, such as notifiable/communicable diseases, it is stated that "the health information may be disclosed to appropriate authority as mandated by law without the patient's prior authorization."

Comments:

1. The terms "specific consent" and "general consent" need to be clearly defined.
2. In cases of disclosures for for non-routine and most non-health care purposes, a written authorisation should be mandatory. It should be clearly specified that a healthcare provider may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization.
3. There is confusion due to the use of numerous terms such as "health information", "protected health information", "sensitive personal data", "personal information" and "protected/sensitive information" in the EHR Standards for the same purpose. Some of these above terms are defined while the others are not. In order to remove the ambiguity caused due to this, it is recommended that the term "protected health information" is used throughout the document.
4. All bodies dealing with medical data should be required to abide by the principle of "data minimisation" in use and disclosure. They must take reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
5. For internal uses, healthcare providers and other entities must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Amber Sinha,
Centre for Internet and Society,
No. 194, 2nd 'C' Cross,
Domlur, 2nd Stage,
Bengaluru, 560071

We at the Centre for Internet and Society are grateful for the opportunity to comment on the draft new ICANN by-laws. Before we comment on specific aspects of the Draft by-laws, we would like to make a few general observations:

Broadly, there are significant differences between the final form of the by-laws and that which has been recommended by the participants in the IANA transition process through the ICG and the CCWG. They have been shown to be unnecessarily complicated, lopsided, and skewed towards U.S.-based businesses in their past form, which continues to reflect in the current form of the draft by-laws.

The draft by-laws are overwrought, but some of that is not the fault of the by-laws, but of the CCWG process itself.  Instead of producing a broad constitutional document for ICANN, the by-laws read like the worst of governmental regulations that go into unnecessary minutiae and create more problems than they solve. Things that ought not to be part of fundamental by-laws — such as the incorporating jurisdiction of PTI, on which no substantive agreement emerged in the ICG — have been included as such.

Simplicity has been seen as a sin and has made participation in this complicated endeavour an even more difficult proposition for those who don’t choose to participate in the dozens of calls held every month. On specific substantive issues, we have the following comments:

Jurisdiction of ICANN’s Principal Office

Maintaining by-law Article XVIII, which states that ICANN has its principal office in Los Angeles, California, USA, these Draft by-laws make an assumption that ICANN’s jurisdiction will not change post transition, even though the jurisdiction of ICANN and its subsidiary bodies is one of the key aspects of post transition discussion to be carried out in Work Stream 2 (WS2). Despite repeated calls to establish ICANN as an international community based organisation (such as the International Red Cross or International Monetary Fund), the question of ICANN's future jurisdiction was deferred to WS2 of the CCWG-Accountability process. All of the new proposed by-laws have been drafted with certainty upon ICANN's jurisdiction remaining in California. Examples of this include the various references to the California Civil Code in the by-laws and repeated references to entities and structures (such as public benefit corporations) in the fundamental by-laws of the ICANN that can only be found in California.

This would make redundant any discussion in WS2 regarding jurisdiction, since they cannot be implemented without upending the decisions relating to accountability structures made in WS1, and embedded in the by-laws.

CIS suggests an provision expressly be inserted in the by-laws to allow changes to the by-laws in WS2 insofar as matters relating to jurisdiction and other WS2 issues are concerned, to make it clear that there is a shared understanding that WS2 decisions on jurisdiction are not meant to be redundant.

Jurisdiction of the Post-Transition IANA Authority (PTI)

The structure of the by-laws and the nature of the PTI in Article 16 make its Californian jurisdiction integral to the very organisation as a whole and control all its operations, rights and obligations. This is so despite this issue not having been included in the CWG report (except for footnote 59 in the CWG report, and as a requirement proposed by ICANN’s lawyers, to be negotiated with PTI’s lawyers, in Annex S of the CWG report).  The U.S. government’s requirement that the IANA Functions Operator be a U.S.-based body is a requirement that has historically been a cause for concern amongst civil society and governments.  Keeping this requirement in the form of a fundamental by-law is antithetical to the very idea of internationalizing ICANN, and is not something that can be addressed in Work Stream 2.

CIS expressed its disagreement with the inclusion of the U.S-jurisdiction requirement in Annex S in its comments to the ICG. Nothing in the main text of the CWG or ICG recommendations actually necessitate Californian jurisdiction for the PTI.  Thus, clearly the draft by-laws include this as a fundamental by-law despite it not having achieved any form of documented consensus in any prior process. This being a fundamental by-law would make shifting the PTI’s registered and principal office almost impossible once the by-laws are passed.

No reasoning or discussion has been provided to justify the structure, location and legal nature of the PTI. The fact that the revenue structure, by-laws and other details have not even been hinted at in the current document, indicate that the true rights and obligations of PTI have been left at the sole discretion of the ICANN while simultaneously granting it fundamental by-law protection. This is not only deeply problematic on front of delegation of excessive responsibility for a key ICANN function without due oversight but also leads to situation where the community is agreeing to be bound to a body whose fundamental details have not even been created yet, and yet is a fundamental by-law.

CIS would therefore suggest that the PTI related clauses in the by-laws be solely those on which existing global Internet community consensus can be shown, and the PTI’s jurisdiction is not something on which such consensus can be shown to exist.  Therefore the by-laws should be rewritten to make them agnostic to PTI’s jurisdiction. Further, CIS suggests that the law firm appointed for PTI be non-American, since U.S.-based law firms capable law firms in Brazil, France, and India.

We would also like to note that we have previously proposed that PTI’s registered office and ICANN’s registered office be in different jurisdictions to increase jurisdictional resilience against governmental and court-based actions.

Grandfathering Agreements Clause

A fair amount of discussion has taken place both in the CCWG mailing list about Section 1.1 (d)(ii), which concerns the inclusion of certain agreements into the scope of protection granted to ICANN from its Mission and Objective statement goals. CIS largely agrees with the positions taken by the IAB and CCWG in their comments of demanding the removal of parts B, C, D E and F of Section 1.1(d)(ii) as all of these are agreements that were not included in the scope of the CCWG Proposal and a fair few of these agreements (such as the PTI agreement) have not even been created yet. This leads to practical and legal issues for the ICANN as well as the community as it restricts possible accountability and transparency measures that may be taken in the future.
CIS as its suggestion therefore agrees with the IAB and CCWG in this regard and supports the request by them that demand by these grandfathering provisions be removed.

Inspection Rights

Section 22.7 severely limits the transparency of ICANN’s functioning, and we believe it should be amended.

(a) It limits Inspection Requests to Decisional Participants and does not allow for any other interested party to make a request for inspection.  While the argument has been made that Californian law requires inspection rights for decisional participants, neither the law nor CCWG’s recommendations require restricting the inspection rights to decisional participants. CIS’s suggestion is to allow for any person in the public to make a request for examination, but to have to declare the nature of the public interest behind requests for non-decisional participants, so that an undue number of requests are not made for the purpose of impairing the operations of the organisation.

(b) The unclear but extremely limited definition of ‘permitted scope’, which does not allow one to question any ‘small or isolated aspect’ of ICANN’s functioning, where there is no explicit definition of what constitutes the scope of matters relevant to operation of ICANN as a whole, leaving a loophole for potential exploitation. CIS suggests the removal of this statement and to allow only for limitations listed in Section 22.7 (b) for Inspection Requests.

(3) There is no hard deadline provided for the information to be made available to the querying body, thus allowing for inordinate delays on the part of the ICANN, which is open to abuse. CIS suggests the removal of the clause ‘or as soon as reasonably practicable thereafter’ in this section.

(4) The need for insisting that the material be used only for restricted purposes. CIS suggests that as a step towards ICANN’s transparency, it is essential that they allow the use of the information for any reason deemed necessary by the person demanding inspection. There is no clear reason to require restriction to EC proceedings for non-confidential material.  This requirement should be removed.

Work Stream 2 Topics

Section 27.2, which covers necessary topics for WS2, currently does not include key aspects such as PTI documents, jurisdictional issues, etc. In this light, we suggest that they be included and a clause be inserted to indicate that this list of topics is indicative and the CCWG can expand the scope of items to be worked on in WS2 as well as make changes to work completed in WS1 (such as these by-laws) to meet WS2 needs as well.

FOI-HR

Section 27.3 (a) requires the FOI-HR to be approved by "(ii) each of the CCWG-Accountability’s chartering organizations..” which is inconsistent with the CCWG proposal that forms the basis for these by-laws. The requirement of formal approval from every Chartering Organisation in the current draft is inconsistent with Annex 6 of the CCWG proposal, that has no such requirement.

CIS strongly advocates for a change in the bylaw text to align with the intent of the CCWG Accountability report, and to reflect that the process of developing the FOI-HR shall follow the same procedure as Work Stream 1.

Contracts with ICANN

Section 27.5 currently states that “Notwithstanding the adoption or effectiveness of the New by-laws, all agreements, including employment and consulting agreements, entered by ICANN shall continue in effect according to their terms.”

As the section currently stands, there is a possibility that prior to the creation of by-laws, agreements that may be in contravention of the by-laws may be brought forth intentionally before the commencement of the operation of ICANN’s Mission statement in the said by-laws. The clause may be updated as follows to avoid this —

“Notwithstanding the adoption or effectiveness of the New by-laws, all agreements, including employment and consulting agreements, entered by ICANN shall continue in effect according to their terms, provided that they are in accordance with ICANN’s Mission Statement.”

The article was published in the Wire on May 14, 2016.

Politics and censorship

Two kinds of defamation actions have emerged to capture popular attention. First, political interests have adopted defamation law to settle scores and engage in performative posturing for their constituents. And, second, powerful entities such as large corporations have exploited weaknesses in defamation law to threaten, harass, and intimidate journalists and critics.

The former phenomenon is not new. Colonial India saw an explosion of litigation as traditional legal structures were swept away and native disputes successfully migrated to the colonial courts. These included politically-motivated defamation actions that had little to do with protecting reputations. In fact, defamation litigation has long become an extension of politics, in many cases a new front for political manoeuvring.

The latter type of defamation action is far more sinister. Powerful elites, both individuals and corporations, have cynically misused the law of defamation to silence criticism and chill the free press. By filing excessive and often unfounded complaints that are dispersed across the country, which threaten journalists with imprisonment, powerful elites frighten journalists into submission and vindictively hound those who refuse to back down. Such actions are called Strategic Lawsuits against Public Participation (SLAPPs) which Rajeev Dhavan warns have created a new system of censorship.

Petitions and politicians

Defamation originates from the concept of scandalum magnatum – the slander of great men – which protected the reputations of aristocrats. The crime was linked to sedition, so insulting a lord was akin to treason. In today’s neo-feudal India, political leaders are contemporary aristocrats. Investigating them can invite devastating consequences, even death. Most of the time, they retaliate through defamation law. Since the criminal justice system is most compromised at its base, where the police and magistrates directly interact with people, the misuse of criminal defamation law hurts ordinary citizens.

This is different from politicians prosecuting each other since they rarely, if ever, suffer punishment. Of all the petitions before the Supreme Court concerning the decriminalisation of defamation, the three that received the most news coverage were those of Subramanian Swamy, Rahul Gandhi, and Arvind Kejriwal. They are all politicians, their petitions were made in response to defamation complaints filed by rival politicians. On the other hand, there are numerous cases which politicians have filed against private members of civil society to silence them. When presented with these concerns, the Supreme Court simply failed to seriously engage with them.

The architecture of defamation

Defamation has many species, a convoluted history, and complex defences. Defamation can be committed by the spoken word, which is slander, or the written word, which is libel. The historical distinction between these two modes of defamation is based on the permanence of written words. Before the invention of the printing press, the law was chiefly concerned with slander. But as written ideas proliferated through mass publication technologies, libel came to be viewed as more malevolent and the law visited serious punishments on writers and publishers.

Such a distinction presumes a literate readership. In largely illiterate societies, the spoken word was more potent. This is why films and radio have long attracted censorship and state control in India. Before mass publishing forked defamation into libel and slander, there existed only the historical crime of libel. Historical libel had four species: seditious libel, blasphemous libel, obscene libel, and defamatory libel.

Seditious libel, which has been repealed in Britain, prospers in India as the offence of sedition which is criminalised by section 124A of the IPC. Blasphemous libel, repealed in Britain, fares well in India as the offence of blasphemy under section 295A of the IPC. Obscene libel, as the offence of obscenity, is criminalised by section 294 of the IPC. And defamatory libel, repealed in Britain, which is the offence of criminal defamation that the Subramanian Swamy case upheld, continues to exist under section 499 of the IPC.

Confusing harms

Of the many errors that litter the Supreme Court’s May 13, 2016 judgment in the Subramanian Swamy case, perhaps the most egregious is the failure to recognise the harm that criminal defamation poses to a healthy civil society in a free democracy. At the crux of this mistake is the Supreme Court’s failure to distinguish between private injury and social harm. Two people may, in their private capacities, litigate a civil suit to recover damages if one feels the other has injured her reputation. This private action of defamation was not in issue before the court.

On the other hand, by criminalising defamation, why should the state protect the reputations of individuals while expending public resources to do so? This goes to the concept of crime. When an action is serious enough to harm society it is criminalised. Rape strikes at the root of public safety, human dignity, equality, and peace, so it is a crime. A breach of contract only injures the party who was expecting the performance of contractual duties; it does not harm society, so it is not a crime. Similarly, a loss of reputation, which is by itself difficult to quantify, does no harm to society and so it should not be a crime.

Truth and the public good

It may be argued, and the Supreme Court hints, that at its fundament, society is premised on the need for truth; so lies should be penalised. This is where defamation law wanders into moral policing. In Indian and European philosophies, truth is consecrated as a moral good. The Supreme Court quotes from the Bhagavad Gita on the virtue of truth. But while quotes like these are undoubtedly meaningful, they have no utility in a constitutional challenge. In reality, society is composed of truth, lies, untruths, half-truths, rumour, satire, and a lot more. In fact, the more shades of opinion there are, the livelier that society is. So lies should not invite criminal liability.

If we concede the moral debate and arrive at a consensus that the law must privilege truth over lies, then truth alone should be a complete defence to defamation. If the law criminalises untruth, then it must sanctify truth. That means when tried for the crime of defamation, a journalist must be acquitted if her writing is true. But the law and the Supreme Court require more. In addition to proving the truth, the journalist must prove that her writing serves the public good. So speaking truth is illegal if it does not serve the public good.

In fact, truth has only recently been recognised as a defence to defamation, albeit not a complete defence. This belies the social foundations of criminal defamation law. The purpose of the offence is not to uphold truth, it is to protect the reputations of the powerful. But what is reputation? The Supreme Court spends 25 pages trying to answer this question with no success. Instead, the court declares that reputation is protected by the right to life guaranteed by Article 21 of the Indian Constitution but it offers no sound reasoning to support this claim. The court also fails to explain why the private civil action of defamation is insufficient to protect reputation.

The constitution and constitutionalism

There are two core constitutional questions posed by the Subramanian Swamy case. They are:

• Does the crime of defamation fall within one of the nine grounds listed in Article 19(2) of the constitution; and
• Are sections 499 and 500 of the IPC which criminalise and punish defamation reasonable restrictions on the right to free speech?

Article 19(2) contains nine grounds in the interests of which a law may reasonably restrict the right to free speech. Defamation is one of the nine grounds, but the provision is silent as to which type of defamation, civil or criminal, it considers. However, B.R. Ambedkar’s comments in the Constituent Assembly arguably indicate that criminal defamation was intended to be a ground to restrict free speech.

The answer to the second question lies in measuring the reasonableness of the restriction criminal defamation places on free speech. If the restriction is proportionate to the social harm caused by defamation, then it is reasonable. However, restating an earlier point, criminalising defamation serves no legitimate public purpose because society is unconcerned with the reputations of a few individuals. Even if society is concerned with private reputations, the private civil action of defamation is more than sufficient to protect private interests. Further, the danger that current criminal defamation law poses to India’s free speech environment is considerable. Dhavan says: “Defamation cases [are] a weapon by which the rich and powerful silence their critics and censor a democracy.”

The Subramanian Swamy case highlights several worrying trends in India’s constitutional jurisprudence. The judgment is delivered by one judge speaking for a bench of two. Such critically significant constitutional challenges cannot be left to the whims of two unelected and unaccountable men. Moreover, from its position as the guarantor of individual freedoms, the Supreme Court appears to be in retreat. This will have far-reaching and negative consequences for India’s citizenry. If the court fails to enhance individual freedoms, what is its constitutional role? The judiciary would do well to stay away from policy mundanities and focus on promoting India’s democratic project, lest it injure its own reputation.

The article by Rohini Lakshané was published in Gender IT.org on May 19, 2016. This was also mirrored by Feminism in India on January 9, 2017.

The incident had spurred protests across the country and made international headlines. Along with all this came a slew of new “women’s safety” apps. Existing ones, many of which had fizzled out, were conveniently relaunched. My own experience of user-testing such apps in India back then was that they were unreliable at best and dangerously counterproductive at worst. Some of them were endorsed by governments and celebrities and ended up being glorified despite their flaws, their technical and systemic handicaps never acknowledged at all.

There are myriad mobile phone apps meant to be deployed for personal safety, but their basic functioning is more or less the same: the user activates the app (by pressing a button, shaking the device or similar cue), which sends a distress message containing the users’ location to pre-defined contacts. Some apps include additional artefacts such as a short audio or video recording of the situation. Some others augment this mechanism by alerting the police and other agencies best placed to respond to the emergency. For example, the Companion app for students living on campus notifies the university along with police. The SOS buttons in taxi-hailing apps such as Uber enable the user’s contacts to follow the cab’s GPS trail and notify them and the cab company’s “incident response team” of emergencies. Apps such as Kitestring would treat the lack of the user’s response within a time-window as the trigger for a distress message. All their technical wizardry perhaps makes it easy to lose sight of the fact that technology is not a saviour but a tool or an enabler, that technology alone cannot be the panacea of a problem that is deeply complex and, in reality, rooted in society and governance.

The Indian government announced last month that every phone sold in the country from January 2017 should be equipped with a panic button that sends distress flares to the police and a trusted set of contacts. Nearly half the phones sold in India cost USD 100 or less. Prices are kept so low by sacrificing features and the quality of the hardware; there are a lot of phones with substandard GPS modules, poor touchscreens, slow processors, bad cameras, tiny memory, and dismal battery life. They run on different versions of different operating systems, some of them outdated. All of these factors would determine if someone is able to use the app at all and how quickly they and their phone would be able to respond to an emergency. Additionally, mobile phone signals become thin or shaky in areas with a high number of users and buildings located cheek-by-jowl. Even when the mobile hardware is good and the mobile signal usable, GPS accuracy can be spotty and constant location tracking would hog battery. These issues would affect the efficacy of any app. Besides, there is too much uncertainty for an app developer to factor in. (Two years ago, I learnt about an app called Pukar, then operational in collaboration with police departments in four cities in India. Pukar solved the problem of potential inaccuracy of the GPS location by getting the user’s contacts to tell the police where the person in distress might be.) Designing a one-size-fits-all safety app is almost impossible. The app that rings a loud alarm when triggered may save someone’s life or spoil the chances of someone who is trying to get help while hiding. Different people may be vulnerable to different kinds of distress situations and an app can at best be optimised for some target user groups.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea.

In the end, the “technical” problems may actually be problems of economic disparity. Making it mandatory for people to own phones equipped with certain hardware or requiring them to upgrade to more reliable devices would drive the phones out of the financial reach of many. Indian manufacturers have expressed concerns that the proposed panic button would raise costs for them as well the end buyers. Popularising a downloadable app and informing its target users how to install and work it correctly needs a marketing blitzkrieg, which is something only the state or well-funded developers can afford. The New Delhi police department runs a dedicated control room for reports arriving from its safety app, Himmat (the word for courage in many Indian languages). It’s an expensive affair.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea. It puts the onus of “keeping women safe” on members of their social circles or on intermediaries and private parties such as cab companies, while absolving law enforcement agencies of their failing to provide security. It opens doors to victim blaming in case someone is unable to use the app at the right time in the right way, or if the app fails.

On the contrary, an app that does loop in the police raises concerns about surveillance and protection of data available to the police, which is especially problematic in places such as India where there is no law for privacy or data protection. Alwar, one of the cities where Pukar was implemented, is super-populated with a large geographical area and a high crime rate. Police departments in such places tend to be overworked and understaffed. Without significant policing reforms, it is questionable whether they will be able to respond in time. A sting operation done by two media outlets on 30 senior officials of the New Delhi police department in 2012 showed the cops blaming victims of sexual violence with gay abandon. “If girls don't stay within their boundaries, if they don't wear appropriate clothes, then naturally there is attraction. This attraction makes men aggressive, prompting them to just do it [sexual assault]," reads one of their nuggets. “It's never easy for the victim [to complain to the police]. Everyone is scared of humiliation. Everyone's wary of media and society. In reality, the ones who complain are only those who have turned rape into a business," goes another. An app that lets known people monitor someone’s location also poses the risk of abuse, coercion and surveillance by intimate partners or members of the family.

Unfortunately, there is no app for reforming a morass in law enforcement or dismantling patriarchy.

The article was published in the Indian Express on May 8, 2016.

Facebook is worried. Even though usage is growing, something strange is happening on the social network. For the first time since it started its journey as a website to rate datable people on college campuses, to becoming the global reference point that defined friendship in the connected age, people are sharing less personal information on Facebook. For a social media network that positions itself largely as a space where our everyday, banal doings become newsworthy articulations, this is surprising news. But it is true. On Facebook, the traffic is high, but most of it is now sharing of external information. People are sharing links to news, to listicles, to videos, to blogs entries, to pictures and to information that they find interesting, but they are writing less and less about what it is that they are doing and feeling.

Ironically, this coincides with the latest change in Facebook’s “response” options, where the ubiquitous “Like” button can now expand to other emojis where you can also be appropriately angry, sad, surprised, or happy about the shared content. Even as Facebook is trying to get its users to qualify how they feel and give emotional value to their likes, people seem to be sharing even less of their private lives on Facebook.

One of the key ways of understanding this drop in people sharing their personal information is through the concept of “context collapse”. It has been a concern since the first instances of disembodied digital communication. In our everyday life, we make sense of information based on the different contexts that surround us. The person who authors the information, the setting within which that information reaches us, the emotional state that we are in when encountering the information, our sense of where we are when processing it, and the preparedness we have for receiving this information are all crucial parameters by which we make sense of the meaning of the information and also our response to it.

In the case of Facebook, the context within which information and transactions have made sense is “friendship”. The site’s USP was that you could bring in a variety of information, but you were always sharing it with friends. You could have a large audience, but this audience is formed of people you know, people you trust, people you add to your friend groups — there is a sense of intimacy, privacy, and casualness that marks the flow of information. You are able to talk, in an equal breath, about what you had for breakfast, your crush on a celebrity, your random acts of charity, and your strong political rant, one after the other, without requiring to think about what you are posting and how others will receive it.

However, Facebook is not really a friendship platform. It is a company interested in selling our interactions and data to advertisers who can target us with content and information based on the patterns of our behaviour. To serve its advertisers better, Facebook started privileging “verified” information trying to ensure news and content producers higher attention and more eyeballs. This was further strengthened by their continued integration with third party vendors, who could push and pull information into the social world of Facebook, and is seen as one of the biggest reasons for this drop. Any newsfeed in the last few months has had equal amounts of professional and amateur content, leading to a context collapse, where you no longer feel like your Facebook feed is a private and intimate conversation with friends.

Similarly, Facebook’s expansive integration of its products —WhatsApp chats, Instagram updates, and Tumblr posts all can collapse into one — produced a confusing space where the personal information that you were once happy to share with your friends, is suddenly being shared along with news and information. Also, digital behaviour works on mirroring, and we often shape our updates to match what we see on our timelines. If we more and more see external content rather than personal statuses, we also start sharing more third party news and links, thus producing a domino effect of everybody shying away from extremely personal or intimate moments.

Facebook, for the millennials, has been the context within which friendship got structured. Its own transitions have now collapsed that context, leading people to think of it as a content aggregator. It is going to be interesting to see what happens to our digital friendships and networks if Facebook is no longer the space where they are housed.

The article was published in the Indian Express on April 17, 2016.

It took me some time to trust the cloud. Growing up with digital technologies that were neither resilient nor reliable — a floppy drive could go kaput without you having done anything, a CD once scratched could not be recovered, hard drives malfunctioned and it was a given that once every few months your PC would crash and need a re-install — I have always been paranoid about making backups and storing information. Once I kicked into my professional years, I developed a foolproof, albeit paranoid, system, where I backed up my machines to a common hard drive, made a mirror image of that hard drive, and for absolutely crucial documents, I would put them on to a separate DVD which would have the emergency documents. It was around 2006, when I discovered the cloud.

It began with Google’s unlimited email accounts where you could mail information to yourself and then it would stay there for a digital eternity. I noticed that the size of my digital storage began decreasing. I no longer download videos I find on the web. I don’t save information on a device and I have come to think of the web as one large cloud, relying on the fact that if something is online once, it will always be available to me.

However, over the last couple of months, I have started noticing something different in my usage patterns. These days, when I do come across interesting information, instead of merely indexing it, I find myself making an offline copy of that information. Tweets enter a Storify folder. YouTube videos get downloaded. I make PDF copies of blogs and take screenshots of digital medial updates. I have been wondering why I am suddenly so invested in archiving the web when, theoretically, it is always there.

When I voiced this to a group of young students, I was surprised to hear that I wasn’t alone. The web is becoming a space that is crowded with take-downs, deletions, removals, and retractions which leave no archival memory. The students quickly pointed out that these take-downs are not just personal redactions. In fact, what we personally choose to remove has very little chances of actually disappearing from the web. Instead, these are things that are removed by governments, private companies and intermediaries who are being largely held liable for the content of the information that they make available.

Turkey, recently, demanded that German authorities remove a satirical German video titled Erdowie, Erdowo, Erdogan mocking their President. In response, Germany reminded the Turkish diplomacy of that lovely little thing called freedom of speech, and in the meantime, Extra 3, the group that had released the video on YouTube, added English subtitles to the video. Just for perks. I hope you gave a brownie point to Germany, even as you scrambled to see the video.

On the home front, though, things are not as celebratory. The minister of state for information and broadcasting, Rajyavardhan Rathore, and the head of the BJP’s information and technology cell, Arvind Gupta, have called for action against journalist Raghav Chopra who tweeted a photoshopped image of PM Narendra Modi bending down to touch the feet of a man dressed in Saudi Arabia’s national dress, to make a political comment about the PM’s recent visit to SA.

The two politicos, who have not had much to say about the doctored videos that were used to convict innocent students in JNU or the photoshopping that the government’s Press Information Bureau had indulged in to give us that iconic image of the prime minister doing an aerial survey of #ChennaiFloods, have taken umbrage against an image because it seems (obviously) false, and are demanding its takedown.

My proclivity for saving things offline is perhaps fuelled by this web of partisan censorship and the atmosphere of precarious hostility that governments seem to be supporting. Increasingly, we have seen, in India and around the globe, a rush of political power that exercises its clout to remove information, images and stories that they do not approve of.

Instinctively, I am reacting to the fact that intellectual questioning or cultural critique is being removed from the web at the behest of these vested powers, and that the cloud, light and airy as it sounds, is prone to some incredible acts of censorship and removal. I have found myself facing too many removal notices and take-down errors when trying to revisit bookmarked sites, that I am beginning to feel that the only way to keep my information safe might be to archive the whole web on a personal server.

The article was published in Indian Express on April 3, 2016.

This is the story of a broken Kindle. A friend sent a message to a WhatsApp group that I belong to that she is mourning the loss of her second-generation Kindle, that she bought in 2012, and since then had been her regular companion. It is not the story of hardware malfunction or a device just giving up. Instead, it is a story of how quickly we forget the old technologies which were once new. The friend, on her Easter holiday, was visiting her sister, who has a six-year-old daughter.

This young one, a true digital native, living her life surrounded by smart screens, tablets, phones, and laptops, instinctively loves all digital devices and plays with them. In her wanderings through her aunt’s things, she came across the old Kindle — unsmart, without a touch interface, studded with keys, not connected to any WiFi, and rendered in greyscale. It was an unfamiliar device. But with all the assurance of somebody who can deal with digital devices, she took it in her hands to play with it.

Much to her dismay, none of the regular modes of operation worked. The old Kindle did not have a touch screen operated lock. It wasn’t responding to scroll, swipe and pinch. It had no voice command functions. As she continued to cajole it to come to life, it only stared at her, a lock on the digital interface, refusing to budge to the learned demands and commands of the new user. After about 20 minutes of trying to wake the Kindle up, she became frustrated with it and banged it harshly on the table, where it cracked, the screen blanked out and that was the end of the story.

Or rather, it is the beginning of one. As my friend registered the loss of her clunky, clumsy, heavy, non-intuitive Kindle, and messages of grief poured in, with the condolence that the new ones are so much better and the assurances that at least all her books are safe on the Amazon cloud, I see in this tale, the quest of newness that the digital always has to offer.

If it has missed your attention, the digital is always new. Our phones get discarded every few seasons, even as phone companies release new models every few months. Our operating systems are constantly sending us notifications that they need to be updated. Our apps operate in stealth mode, continuingly adding updates where bugs are fixed and features are added. Most of us wouldn’t know what to do if we were faced with a computer that doesn’t “heal”, “backup” or “restore” itself. If our lives were to be transferred back to dumb phones, or if we had to deal with devices that do not strive to learn and read us, it might lead to some severe anxiety.

The newness that the digital offers is also found in our socially mediated lives. Our digital memories are short-lived — relationships rise and fall in the span of days as location-based dating apps offer an infinite range of options to choose your customised partner; celebrities are made and unmade overnight as clicks lead to viral growth and then disappear to be replaced by the next new thing; communities find droves of subscribers, only to become a den of lurkers where nothing happens; must-have apps find themselves discarded as trends shift and new must-haves crop up overnight. Breathless, bountiful and boundless, the digital keeps us constantly running, just to be in the same place, always the same and yet, always new.

We would be hard pressed to remember that magical moment when we first discovered a digital object. For millennials, the digital is such a natural part of their native learning environments that they do not even register the first encounter or the subsequent shifts as they navigate across the connected world. Increasingly, we tune ourselves to the temporality and the acceleration of the digital, tailoring our memories to what is important, what is now, and what is immediately of use, excluding everything else and dropping it into digital storage, assured in our godlike capacities to archive everything.

This affordance of short digital memories is enabled partly by the fact that we are subject to information overload, but partly also to the fact that our machines can now remember, more accurately and more robustly than the paltry human, prone to error and forgetfulness. With the digital, memory becomes equated with storage, and the more we commit to storage, the more we free ourselves from the task of remembering.

The broken Kindle is a testimony not only to the ways in which we discard old devices but also our older forms of individual and collective memory — quickly doing away with information that is not of the now, that is not urgent, and that does not have immediate use value. My friend’s Kindle got replaced in two days. All her books were re-loaded and she was set to go. However, as she told me in a chat, she is not going to throw away her old broken Kindle. Because she wants to remember it — remember the joy of reading her favourite books on it. She is scared that if she throws it away, she might forget.

The article was published in the Indian Express on March 20, 2016.

“You are supposed to write about the internet, why do you keep talking about all this politics?” I was taken aback when I was faced with this question. It is true – since the year has begun, I have talked about digital education and the ways in which it needs to account for unexpected and underserved communities, about net neutrality and why the Indian government needs to build a stronger, safer, and a more inclusive digital ecosystem. I have written about freedom of speech and expression and how this is going to be the year when we stand together to save the internet from vested interests that seek to convert it from a public commons into a private commodity.

In my head, all these questions — of inclusion, of access, of presence, of rights — are questions of human life and living, but they are also those that are being hugely restructured by the internet and digital technologies. When faced with the query, I was reminded of a deep-seated division that has been at the heart of digital cultures.

Way back in the ’90s, when the internet was still a space of science fiction and the World Wide Web was in its nascent stages, there was a distinction made between Virtual Reality (VR) and Real Life (RL). The presumption in the construction of these categories was that the digital is only an escape, the technological is merely a prosthesis, and the internet is just a thing that a few geeks engaged with in their free time. However, the last three decades have made this distinction between VR and RL redundant.

We live in digital times. The digital is not just something we use strategically and specifically to do a few tasks. Our very perception of who we are, how we connect to the world around us, and the ways in which we define our domains of life, labour, and language are hugely structured by the digital technologies. The digital is ubiquitous and hence, like air, invisible. We live within digital systems, we live with intimate gadgets, we interact through digital media, and even though we might all be equally digital natives, there is no denying the fact that the very presence and imagination of the digital has dramatically restructured our lives. The digital, far from being a tool, is a condition and context that defines the shapes and boundaries of our understanding of the self, the society, and the structures of governance.

The pervasive nature of the digital technologies and internet can be found at multiple levels. For instance, we do not think about going online anymore, because most of our devices are connected 24×7 to the digital web. Even when we are not online, sunk in a bad network connection, or protecting our precious data usage, we know that our avatars and digital identities are online and talking without us.

So established is this phenomenon that we even have a name for the anxiety it creates: FOMO — the Fear Of Missing Out. Similarly, the digital can be located at the level of human understanding. We are used to thinking of ourselves as digital systems. We talk about our primary identity as one marked by information overload. We often complain, when faced with too many demands on our time and space, that we don’t have enough bandwidth to deal with new problems, and we are not referring to digital connectivity.

The digital also has space at the level of policy and governance. If you, like the many millions of Indians, have registered for an Aadhaar card, you have already been marked by a digital identity whether or not you have broadband access. When our government launches Digital India campaigns, it is not merely about an economic model of growth, but it is suggesting that the digital is going to be at the foundations of the new India that we want to build for the future.

If the digital is so central to our fundamental understanding of the self, the society, and the state, then surely it is time to stop thinking that these technologies have nothing to do with politics? There remains a forced imagination of technologies as devices, as tools, as prostheses which do not have any other role than the performing of a function. However, this is a fallacy, because not only do technologies shape our sense of who we are, but they also prescribe new templates and models of who we are going to be. In the process, these technologies take political action, create social structures, mobilise cultural possibilities, and often, because they are technologies that are still elite and available to the privileged few in the country, they enable decisions which are not always fair, open, and just.

Hence, a technological decision cannot be read merely as a technical decisions but as human decisions. To speak of technology is to speak of human life and living. To write about technology is to write about politics, because a separation between the two is not only futile but downright dangerous.

Comments on the Draft Geospatial Information Regulation Bill, 2016

by the Centre for Internet and Society

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the draft Geospatial Information Regulation Bill, 2016 (“the draft bill” / “the proposed bill” / “the bill”).

2. Centre for Internet and Society

2.1. The Centre for Internet and Society is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from the perspectives of policy and academic research. The areas of focus include accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding the public interest, and particularly the representing the interests of ordinary citizens and consumers. The comments in this submission aim to further the principles of people’s right to information regarding their own country, openness-by-default in governmental activities, freedom of speech and expression, and the various forms of public good that can emerge from greater availability of open (geospatial) data created by both public and private agencies, and the innovations made possible as a result.