Download the infographic: PDF and JPG.

License: It is shared under Creative Commons Attribution 4.0 International License.

Originally published by The Wire on April 24, 2016.

Since its introduction as a money bill in the Lok Sabha in the first week of March [1], the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Bill, 2016 has been embroiled in controversy. The Lok Sabha rejected the five recommendations of the Rajya Sabha and adopted the bill on March 16 and only presidential assent was required for it become to become valid law. However, former Union Minister Jairam Ramesh filed a writ petition contesting the decision to treat the Aadhaar Bill as a money bill. The petition is due to be heard before the Supreme Court on April 25, and should the court decide to entertain the petition, it could have far-reaching implications for the Aadhaar project and the manner in which money bills are passed by the Parliament.

There are three broad categories of bills (all legislations or Acts are known as ‘bills’ till they are passed by the Parliament) that the Parliament can pass. The first kind, Constitution Amendment Bills, are those that seek to amend a provision in the Constitution of India. The second are financial bills which contain provisions on matters of taxation and expenditure. Money bills are a subset of the financial bills which contain provisions only related to taxation, financial obligations of the government, expenditure from or receipt to the Consolidated Fund of India and any matters incidental to the above. The third category is of ordinary bills which includes all other bills. The process for the enactment of all these bills is different. Money bills are peculiar in that they can only be introduced in the Lok Sabha where it can be passed by simple majority. Following this, it is transmitted to the Rajya Sabha. The Rajya Sabha’s powers are restricted to giving recommendations on the Bill and sending it back to the Lok Sabha, which the Lok Sabha is under no obligation to accept. The decision to introduce the Aadhaar Bill as a money bill has been widely seen as an attempt to circumvent the Rajya Sabha where the ruling party is in a minority.

Article 110 (1) of the Constitution defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to them. These are a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. Article 110 is modelled on Section 1(2) of the (UK) Parliament Act, 1911 which also defines the money bills as those only dealing with certain enumerated matters. The use of the word “only” was brought up by Ghanshyam Singh Gupta during the Constituent Assembly Debates. He pointed out that the use of the word “only” limits the scope of money bills to only those legislations which did not deal with other matters. His amendment to delete the word “only” was rejected clearly establishing the intent of the framers of the Constitution to keep the ambit of money bills extremely narrow.

While the Aadhaar Bill does make references to benefits, subsidies and services funded by the Consolidated Fund of India (CFI), even a cursory reading of the bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money bill. The bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, ‘Parliamentary Practice” is instructive in this respect and makes it clear that a legislation which simply makes a charge on the Consolidated Fund does not becomes a money bill if otherwise its character is not that of one.

PDT Achary, former secretary general of the Lok Sabha, has expressed concern about the use of Money Bills as a means to circumvent the Rajya Sabha. He has written here [2] and here [3], on what constitutes a money bill and how the attempts to pass off financial bills like the Aadhaar Bill as money bills could erode the supervisory role Rajya Sabha is supposed to play. This is especially true in the case of a legislation like the Aadhaar Bill which has far reaching implications for individual privacy as it governs the identification system conceptualised to provide a unique and lifelong identity to residents of India dealing with both the analog and digital machinery of the state and by virtue of Section 57 of any private entities. Already over 1 billion people have been enrolled under this identification scheme, and the project has been a subject of much debate and a petition before the Supreme Court. The project has been portrayed as both the last hope for a welfare state and surveillance infrastructure. Regardless of which of the two ends of spectrum one leans towards, it is undeniable that the law governing the Aadhaar project deserved a proper debate in the Parliament. Even those who are strong proponents of the project must accept the decision to pass it off as a money bill undermines the importance of democratic processes and is a travesty on the Constitution and a blatant abrogation of the constitutional duties of the speaker.

The petition by Jairam Ramesh would hinge largely on the powers of the judiciary to question the decision of the Speaker of the Lok Sabha. Article 110 (3) is very clear in pronouncing the authority of the Speaker as final and binding. Additionally, Article 122 prohibits the courts from questioning the validity of any proceedings in Parliament on the ground of any alleged irregularity of procedure. The powers of privilege that Parliamentarians enjoy are integral to the principle of separation of powers. However, the courts may be able to make a fine distinction between inquiring into procedural irregularity which is prohibited by the Constitution; and questioning an incorrect application of substantive principles, which I would argue, is the case with the Speaker decision.

References

[1] See: http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/.

[2] See: http://indianexpress.com/article/opinion/columns/show-me-the-money-4/.

[3] See: http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece.

The article by Elonnai Hickok and Vanya Rakesh was published by Dataquest on April 25, 2016

Smart grid is a promising power delivery infrastructure integrated with communication and information technologies which enables monitoring, prediction and management of energy usages. Establishment of smart grids becomes highly important for the Indian economy, as the present grid losses are one of the highest in the world at upto 50% and costing India upto 1.5% of its GDP. India operates one of the largest synchronous grids in the world – covering an area of over 3 million sq km, 260 GW capacity and over 200 million customers with the estimated demand of India increasing 4 times by the year 2032.

In the year 2013, the Ministry of Power (MoP), in consultation with India Smart Grid Forum and India Smart Grid Task Force released a smart grid vision and roadmap for India, a key policy document aligned to MoP’s overarching objectives of “Access, Availability and Affordability of Power for All”. It lays plans for a framework to address cyber security concerns in smart grids as well. To achieve goals envisaged in the roadmap, the Government of India established the National Smart Grid Mission in the year 2015 for planning, monitoring and implementation of policies and programs related to Smart Grid activities.

A number of smart grid projects have been introduced, and are currently underway. KEPCO in Kerala has established smart meter/intelligent power transmission and distribution equipment system in the year 2011 and the smart grid operations focus on peak reduction, load standardization, reduction in power transmission/distribution loss, response to new/renewable energy and reduction in black-out time. Gujarat was introduced to India’s first modernized electrical grid in the year 2014, to study consumer behaviour of electricity usage and propose a tariff structure based on usage and load on the power utility by installing new meters embedded with SIM card to monitor the data. The Bangalore Electricity Supply Company Ltd. (BESCOM) project in Bangalore envisaged the Smart Grid Pilot Project for integration of renewable and distributed energy resources into the grid, which is vital to meet growing electricity demands of the country, curb power losses, and enhance accessibility to quality power.

Cybersecurity challenges

At the same time, the introduction of a smart grid brings with it certain security risks and concerns, particularly to a nation’s cyber security. Increased interconnection and integration may render the grids vulnerable to cyber threats, putting stored data and computers at great risk.With sufficient cyber security measures, policies and framework in place, a Smart Grid can be made more efficient, reliable and secure as failure to address these problems will hinder the modernization of the existing power system. Smart Grids, comprising of numerous communication, intelligent, monitoring and electrical elements employed in power grid, have a greater exposure to cyber-attacks that can potentially disrupt power supply in a city.

Initiatives in India

The National Cyber Security Policy 2013 was released with an umbrella framework for providing guidance for actions related to security of cyberspace, by the Department of Electronics and Information Technology (DeitY). The Working Group on Information Technology established under the Planning Commission has also published a 12 year plan on IT development in India with a road map for cyber security, stating six key priority and focus areas for cyber security including:Enabling Legal Framework ; Security Policy, Compliance and Assurance; Security R&D; Security Incident – Early Warning and Response ; Security awareness, skill development and training, and Collaboration.

In case of Bangalore, to ensure smooth implementation of BESCOM’s vision, the company realised the need to put a cyber-security system in place to protect the smart grid installations in Bangalore city. To ensure security, BESCOM has come out with a separate IT security policy and dedicated trained IT cadre to safeguard its data and servers, becoming one of the few Discoms in India to take such measures for safeguarding the servers and data network from cyber crimes and threats.

Way forward

An electric system like Smart grids has enormous and far-reaching economic and social benefits. However, increased interconnection and integration tends to introduce cyber-vulnerabilities into the grid. With the evolution of cyber threats/attacks over time, it can be said that there are a lot of challenges for implementing cyber security in Indian smart grid. Considering importance of secure smart grid networks for flagship projects in India, the existing regulatory framework does not seem to adequately take into consideration the cyber security implications.

In light of this, the government must aim to develop and adopt high level cybersecurity policy to withstand cyber-attacks. Also, India must focus on skills development in this domain and have a capable workforce to achieve the targets set by Indian Government. The country must look up to develop an overall intelligence framework that brings together industry, governments and individuals with specific capabilities for this purpose.

The National Cyber Security Policy 2013, protecting public and private infrastructure from cyber attacks, along with all kinds of information, such as personal information of web users, banking and financial information,etc. is yet to be implemented by the Government properly. In the Indian Power sector, the cyber security regulations or mandates are absent in the National Electricity Policy (NEP) as well as the Electricity Act 2003 and its amendment in 2007, with no reference to cyber security concerns. These key legislations must be amended to take into account the growing challenges due to increased use of ICT in the power sector.

Apart from policy and regulatory measure, the system on which the smart grids are built and networked must be made architecturally strong and secure.One of the areas where due attention is required is making the Supervisory Control and Data Acquisition (SCADA) secure, a system that operates with coded signals to provide control of remote equipment and is entirely based on computer systems and network. Numerous systems also employ the Public Key Infrastructure (PKI) to secure the Smart Grids and address the security challenges by enabling identification, verification, validation and authentication of connected meters for network access. This can be leveraged for securing data integrity, revenue streams and service continuity. The key vulnerable areas prone to cyber attacks on information transmission are network information, data integrity and privacy of information. The information transmission networks must be well-designed as the network unavailability may result in the loss of real-time monitoring of critical smart grid infrastructures and power system disasters.

Addressing these fast growing challenges and cyber security needs of the country by adopting suitable regulatory, policy and architectural steps would help achieve the objectives of Digital India and Smart Cities enabling “Access, Availability and Affordability for All”.

Nehaa Chaudhari provided inputs and also edited the blog post. Click to download the File.

Several instances of the online privacy intrusion by the content producers have been recorded. In such a scenario the balancing the rights of the content producers and the end users becomes an important one. It is imperative to find a common ground to safeguard the interests of both the parties involved. In the recent past DRM has been receiving a lot of flak because of the privacy issues contented by the users.

In the most rudimentary form privacy can be explained as any information about an individual which he/she does not want to be made public. It is important to mention that this information is seen from the perspective of an ordinary reasonable person. The UN Declaration of Human Rights, 1948, defines privacy as a fundamental right of every human. The functioning of the DRM is based on restricting the usage or distribution of the content. Since this restriction is only possible after there is a formal identification of the end user, the content producers end up collecting information about the users. For example: a DRM for a music file might work in a manner where it can only be accessed by one computer from which the user accesses and registers for the first time. DRMs initially identify the IP addresses of the system and make the file functioning on only that IP address. In this way the producer ends up collecting information about the end user. Different DRM models take different ways to collect information of their user. While collecting IP addresses in one of them the other way is tracking the user information via download, browsing activities, subscription service, etc. The usage log of the users is generated and becomes a valuable asset to assess and predict the preferences of the users

Two contentions of privacy have been raised on the privacy issues of DRM -

a) What is the accountability of this process and

b) Whether it puts the content producers in a position where they can control the users.

The information collected is under the control of content producers, who mostly store this information in the form database. BEUC (European Consumer Organization) claimed that the DRM systems technologically enable content providers to monitor private consumption of content, create reports of consumption, and profile users.

The information is at the disposal of the content producers. An assessment of DRM applications under Canadian Privacy showed that the firms did not even recognise privacy issues of the customers as a priority. In fact the firms failed to provide the information that was stored in their databases. This gives an idea about the lack of transparency that exists in collecting the information about users. The question whether users are aware of what information is being collected and to what extent they are being tracked online remains unanswered. The CEN/ISSS (European Committee for Standardization/ Information Society Standardisation System) pointed out that DRMs have a large potential to transmit, generate personal information about users. It has also been characterized by unprecedented levels of monitoring by various content producers.

Further the principled level argumentation to this is on lines of collection of information without any authentication from the user herself/himself. It is essential that if any information is collected or saved by the producers it should only be after taking consent of the user. Surveillance and compelled disclosure of information about intellectual consumption threaten rights to personal integrity.

DRMs take away the anonymity of the consumption. Since the producers can practically monitor the content usage of the user, this has led to wide scale of price discrimination. This means that producers would monitor and assess the preferences of the user and subsequently raise the prices of that particular class of products. In the report of FIPR (Foundation of Information Policy and Research) it was found that Microsoft had been trying to implement their DRM systems in their products using a similar approach to gain a monopoly position as in their strategy of browser implementation.

The Sony BMG copy protection rootkit scandal in 2005 brought much criticism to DRM. It was found out that Sony BMG had introduced illegal and harmful copy protection measure in its CDs. The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. Further more than just the DRM part of it the software also made the user's system open to a number of malwares and created vulnerabilities in the system. Sony was eventually made to compensate consumer costs, etc on the same. However the question of whether the database in the hands of companies can be used in arbitrary manner was intensely discussed after this.

It is essential that an effective framework is brought into effect which caters to privacy interests of the users. Privacy is the basic human right and it is the onus of the State to protect and safeguard this right. It is essential that the State does not compromise and support mechanisms which promote the welfare of the content producers over the users. The balance of users and producers becomes all the more important in a developing country like ours. The lack the awareness and the knowledge coupled with increasing usage of internet can lead to the exploitation of many. It is essential that the States see through these problems and collectively find an all encompassing solution to it.

Published by and cross-posted from The Wire.

The Aadhaar Act 2016, passed in the Lok Sabha on March 16, 2016, faced opposition ever since it was tabled in parliament. In particular, the move to introduce it as a money bill has been vehemently challenged on grounds of this being an attempt to bypass the Rajya Sabha completely. A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view.

It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation.

The money bill question

M.R. Madhavan has argued that the Aadhaar Act contains matters other than “only” those incidental to expenditure from the consolidated fund, as it establishes a biometrics-based unique identification number for beneficiaries of government services and benefits, but also allows the number to be used for other purposes beyond service delivery. While Pratap Bhanu Mehta calls this a subversion of “the spirit of the constitution”, P.D.T. Achary, former secretary general of the Lok Sabha, expressed concern about the attempts to pass off financial bills like Aadhaar as money bills as a means to circumvent and erode the supervisory role of the Rajya Sabha. Arvind Datar has further emphasised that when the primary purpose of a bill is not governed by Article 110(1), then certifying it as a money bill is an unconstitutional act.

Article 110(1) of the Constitution identifies a bill as a money bill if it contains “only” provisions dealing with the following matters, or those incidental to them:

1. imposition and regulation of any tax,
2. financial obligations undertaken by Indian Government,
3. payment into or withdrawal from the Consolidated Fund of India (CFI) or Contingent Fund of India,
4. appropriation of money and expenditure charged on the CFI or receipt, and
5. custody, issue or audit of money into CFI or public account of India.

However, the link of the Act with the Consolidated Fund of India is rather tenuous, since it depends on the Union or state governments declaring a certain subsidy to be available upon verification of the Aadhaar number. The objectives and validity of the Act would not actually change if the Aadhaar number no longer was directly connected to the delivery of services. The use of the word “if” in section 7 explicitly leaves scope for a situation where the government does not declare an Aadhaar verification as necessary for accessing a subsidy. In such a scenario, the Act will still be valid but without any formal connection with any charges on the Consolidated Fund of India.

A case of procedural irregularity?

The constitution of India borrows the idea of providing the speaker with the authority to certify a bill as money bill from British law, but operationalises it differently. In the UK, though the speaker’s certificate on a money bill is conclusive for all purposes under section 3 of the Parliament Act 1911, the speaker is required to consult two senior members, usually one from either side of the house, appointed by the committee from amongst those senior MPs who chair general committees. In India, the speaker makes the decision on her own.

Although article 110 (3) of the Indian constitution states that the decision of the speaker of the Lok Sabha shall be final in case a question arises regarding whether a bill is a money bill or not, this does not restrict the Supreme Court from entertaining and hearing a petition contesting the speaker’s decision. As the Aadhaar Act was introduced in the Lok Sabha as a money bill even though it does not meet the necessary criteria for such a classification, this treatment of the bill may be considered as an instance of procedural irregularity.

There is ample jurisprudence on what happens when the Supreme Court’s power of judicial review comes up against Article 122 – which states that the validity of any proceeding in the parliament can (only) be called into question on the grounds of procedural irregularities. In the crucial judgment of Raja Ram Pal vs Hon’ble Speaker, Lok Sabha and Others (2007), the court evaluated the scope of judicial review and observed that although parliament is supreme, unlike Britain, proceedings which are found to suffer from substantive illegality or unconstitutionality, cannot be held protected from judicial scrutiny by article 122, as opposed to mere irregularity. Deciding upon the scope for judicial intervention in respect of exercise of power by the speaker, in Kihoto Hollohan vs Zachillhu and Ors. (1992), the Supreme Court held that though the speaker of the house holds a pivotal position in a parliamentary democracy, the decision of the speaker (while adjudicating on disputed disqualification) is subject to judicial review that may look into the correctness of the decision.

Several past decisions of the Supreme Court discuss how the tests of legality and constitutionality help decide whether parliamentary proceedings are immune from judicial review or not. In Ramdas Athawale vs Union of India (2010), the case of Keshav Singh vs Speaker, Legislative Assembly (1964) was referred to, in which the judges had unequivocally upheld the judiciary’s power to scrutinise the actions of the speaker and the houses. It was observed that if the parliamentary procedure is illegal and unconstitutional, it would be open to scrutiny in a court of law and could be a ground for interference by courts under Article 32, though the immunity from judicial interference under this article is confined to matters of irregularity of procedure. These observations were reiterated in Mohd. Saeed Siddiqui vs State of Uttar Pradesh (2014) and Yogendra Kumar Jaiswal vs State of Bihar (2016).

Thus, the decision of the Lok Sabha speaker to pass and certify a bill as a money bill is definitely not immune from judicial review. Additionally, the Supreme Court has the power to issue directions, orders or writs for enforcement of rights under Article 32 of the constitution, therefore, allowing the judiciary to decide upon the manner of introducing the Aadhaar Act in parliament.

National implications demand public deliberation

As the provisions of the Aadhaar Act have far reaching implications for the fundamental and constitutional rights of Indian citizens, the Supreme Court should look into the matter of its identification and treatment as a money bill and whether such decisions lead to the thwarting of legislative and procedural justice.

The Supreme Court may also take this opportunity to reflect on the very decision making process for classification of bills in general. As Smarika Kumar argues, experience with the Aadhaar Act reveals a structural concern regarding this classification process, which may have substantial implications in terms of undermining public and parliamentary deliberative processes. This “trend,” as Arvind Datar notes, of limiting legislative discussions and decisions of national importance within the space of the Lok Sabha must be swiftly curtailed.

Apart from deciding upon the legality of the nature of the bill, it is vital that the apex court ask the government to categorically respond to the concerns red-flagged by the Standing Committee on Finance, which had taken great exception to the continued collection of data and issuance of Aadhaar numbers in its report, and to the recommendations passed in the Rajya Sabha recently. Further, the repeated violation of the Supreme Court’s interim orders – that the Aadhaar number cannot be made mandatory for availing benefits and services – in contexts ranging from marriages to the guaranteed work programme should also be addressed and responses sought from the Union government.

Evidently, the substantial implications of the Aadhaar Act for national security and fundamental rights of citizens, primarily privacy and data security, make it imperative to conduct a duly balanced public deliberation process, both within and outside the houses of parliament, before enacting such a legislation.

The judgment on the plea to de-criminalise defamation is out and despite its verbosity and rich vocabulary is an embarrassment to our recent judicial milestone of constitutional challenges. In the case of Subramanian Swamy vs. Union of India, a two judge bench headed by Justice Dipak Misra, has upheld the constitutionality of Section 499 and Section 500 of Indian Penal Code, 1860 (IPC) and Section199 of Code of Criminal Procedure, 1973 (CrPC) that criminalise defamation.

The judgment has not satisfactorily answered several pertinent questions. Various significant issues relating to the existing regime of defamation have been touched upon in the judgment but the bench has skipped the part where it is required to analyse and give its own reasoning for upholding or reading down the law. This post points out what should have been looked at.

A. Whether defamation is a public or a private wrong?  What is the State’s interest in protecting the reputation of an individual against other private individuals? Is criminal penalty for defamatory statements an appropriate, adequate or disproportionate remedy for loss of reputation?

At the core of the debate to decriminalise defamation lies the question, whether defamation is a public or a private wrong. The question was raised in the Subramanian Swamy case and the court held that defamation is a public wrong. Our problem with the court’s decision lies in its failure to provide a sound and comprehensive analysis of the issue. In order to understand whether defamation is a public or a private wrong, it is necessary that we look at what reputation means, what happens when reputation is harmed and whose interests are affected by such harm.

Reputation is not defined in law, however the Supreme Court has held that reputation is a right to enjoy the good opinion of others and the good name, the credit, honour or character which is derived from such favourable public opinion. The definition reflects several elements that constitute reputation which when harmed have different bearing on the reputation of an individual. Academic Robert C Post in his paper, The Social Foundations on Defamation Law: Reputation and Constitution, says that reputation can be understood as a form of intangible property akin to goodwill or as dignity (the respect including self-respect that arises from observance of rules of the society). While reputation when seen as property can be estimated in money and thus adequately compensated through a civil action for damages, loss of dignity is not a materially quantifiable loss, and thus, monetary compensation appears irrelevant. The purpose of the defamation law could either be to ensure that reputation is not wrongfully deprived of its proper market value or the respect/acceptance of the society. Explanation 4 to Section 499 of the IPC accommodates both such situations and provides that reputation is harmed if it directly or indirectly, in the estimation of others, lowers the moral or intellectual character of that person, or lowers the character of that person in respect of his caste or of his calling, or lowers the credit of that person, or causes it to be believed that the body of that person is in a loathsome state, or in a state generally considered as disgraceful.

Post adds that an individual’s reputation is a product of his interaction with the society by following the norms of conduct (which he calls rules of civility) created by the society, thus the society has an interest in enforcing its rules of civility through defamation law by policing breaches of these rules. Criminal defamation acknowledges that loss of reputation is a wrong to the societal interests; however these interests have not been deliberated upon by the courts in India.

The Subramanian Swamy case was an occasion where, it was imperative that the court took up this exercise and explained what interest the society had in protecting the reputation of an individual for it to be classified as a public wrong. The court stated, “the law relating to defamation protects the reputation of each individual in the perception of the public at large. It matters to an individual in the eyes of the society. There is a link and connect between individual rights and the society; and this connection gives rise to community interest at large. Therefore, when harm is caused to an individual, the society as a whole is affected and the danger is perceived” With this reasoning it can be inferred that the society has an interest in all private wrongs. Where would that inference land us? This reasoning is ambiguous and inadequate.

On the other hand, criminal penalty for perfectly private wrongs such as copyright infringement and dishonour of cheques urges us to ask if there is a problem with the rigid distinction of public and private wrongs. Should we be asking the question differently?

The judgment has provided extremely inadequate answers to this question and has left matters ambiguous.

B. Can the right to reputation under Article 21 be enforced against another individual’s freedom of expression and are safeguards already built in law so as not to unreasonably restrict and stifle free expression in this regard?

Defamation finds a place in the list of constitutionally allowed restrictions on freedom of speech under Article 19 (2). Defamation protects the right to reputation of an individual thus free expression by this reason is subject to the right to reputation of an individual. The court had repeatedly observed that right to reputation is a part of the right to life under Article 21 of the Constitution. The question of enforceability of right to reputation under Article 21 against freedom of expression under Article 19 (1) (a) came into question in the instant case; it was contended that a fundamental right is enforceable against the State but cannot be invoked to serve a private interest of an individual. Thus, the right to reputation as manifested in defamation being a wrong committed against a private person by another person is unconnected and falls outside the scope of Article 19 (2). It is pertinent to note that Article 21 (which includes right to reputation) is enforceable not only against the state but also against private individuals. What is relevant here is an understanding of horizontal enforceability of fundamental rights (certain fundamental rights can be enforced against private individuals and non-state actors). This would help explain the dilemma in enforcing the right to reputation of an individual against free speech of another individual. It is vaguely mentioned in the judgment (see para 88) but has not been deliberated upon.

What follows from the discussion of enforceability of right to reputation, is the discussion on how reasonably it restricts speech. The Supreme Court has previously held that while determining reasonableness, the underlying purpose of the restrictions imposed, the extent and urgency of the evil sought to be remedied thereby, the disproportion of the imposition, the prevailing conditions at the time, should all enter into the judicial verdict. We briefly analyse the critical aspects of the regime of criminal defamation on these parameters.

Underlying purpose

At the heart of the defamation law is the need to find the most suitable remedy for loss of reputation of an individual. How does one restore reputation of an individual in the society and whether criminal penalty an appropriate remedy?

Extent of restriction

The extent to which defamation law restricts free speech could be analysed by looking at various aspects such as what kind of speech is considered defamatory, what procedure is followed to bring action against the alleged wrong doer and scope of abuse of the law. Explanation 1 to Section 499 of IPC provides that a statement or imputation is defamatory if it is not made in public good. It is not sufficient to prove that such statement or imputation is in fact true. The idea of public good is at best vague without any means to evaluate it. Further, under Section 199 of CrPC allows multiple complaints to be filed in different jurisdictions for a single offensive publication. Besides, usage of terms like “some person aggrieved” leaves room for parties other than the person in respect of whom defamatory material is published to bring action and the provision also allows the privilege of two sets of procedures for prosecution (in official capacity and in private capacity) to public servants without satisfactory reasoning provided for such discrimination. These provisions have the potential to be used to file frivolous complaints and could be a handy tool for harassment of journalists or activists among others.

Proportionality

Does the publication or imputation of defamatory material warrant payment of fine and imprisonment? Earlier in the post, we brought up the question of relevance of such measures to the act of defamation. Assuming that it is relevant, do we think it is harsh or commensurate to the wrongful act. It is necessary to look at the process of prosecution before we determine the proportionality of the restriction. Criminal law assumes that the accused is innocent until he is proven guilty. Therefore until the judiciary determines that the act of defamation was committed, how does the process help the accused in maintaining status quo.  It is also pertinent to look at the threshold for civil defamation. Under the civil wrong of defamation, truth works as a complete defence while under criminal defamation, a statement despite being true could invite penalty if it is not published in public good. Thus a lower threshold for criminal liability would upset the balance of proportionality. These aspects are critical to determine the reasonableness of criminal defamation and it is unfortunate that the judgment that runs into hundreds of pages has not evaluated them.

Conclusion

The convoluted debate on criminal defamation remains intact post the pronouncement of this judgment. Questions of competing interests of society and individuals or individuals per se, and ambiguous rationale behind imposition of liability, arbitrariness of procedure for prosecution have not been examined. Further, the hardship in compartmentalising free speech, the right to reputation and the right to privacy remains unanswered.

To,
Ministry of Health and Family Welfare,
Room 307 D,
Nirman Bhavan,
New Delhi 110108

Subject: Comments on the Electronic Health Record (EHR) Standards of India

The Electronic Health Record (EHR) Standards (hereinafter “EHR Standards”) were publicly circulated on March 18, 2016 seeking comments and views from stakeholders and the general public. Having reviewed the EHR Standards and referred to other robust standards dealing with the same subject matter, we wish to submit the following comments on the EHR Standards.

Standards and Interoperability

The EHR Standards state that the "primary aim of interoperability standards is to ensure syntactic (structural) and semantic (inherent meaning) interoperability of data amongst systems at all times" [1]. It is mentioned that set of standards outlined in this document represents an incremental approach to adopting standards and that they need to be flexible and modifiable to adapt to the demographic and resource diversity in India.

Comments:

1. The EHR Standards make a reference to syntactic and semantic interoperability without really defining these terms or stipulating clear steps for how they may be achieved. It is suggested that these terms are clearly defined. Syntactic interoperability can be defined as ensuring the preservation of the clinical purpose of the data during transmission among healthcare systems. Similarly, semantic interoperability can defined as enabling multiple systems to interpret the information that has been exchanged in a similar way through pre-defined shared meaning of concepts [2].
2. Inadequate human resource capacity remains a critical challenge to the adoption of e-health standards. The WHO and ITU eHealth Strategy Toolkit [3] recommends the development of effective health ICT workforce, capable of designing, building, operating and supporting e-health services. This workforce could participate in standards development, as well as the localization of international standards to fit a country's specific need. The EHR Standards should also include mechanisms and solutions to address these issues.

Ownership of Data

The physical or electronic records, which are generated by the healthcare provider are held in trust by them on behalf of the patient [4]. It is stated that the contained data which is sensitive personal data or personal information of the patient as per the Information Technology Act, 2000 is owned by the patients, however the medium for storage or transmission of such data is owned by the healthcare provider.

Comments:

1. Currently, the EHR Standards state that the contained data which are the sensitive personal data of the patient is owned by the patient. While medical records and history is included within the scope of sensitive personal data under the Information Technology Act, 2000, the definition of "Personal Health Information" under the EHR Standards is more expansive. Therefore, it is recommended that all Personal Health Information is deemed to be owned by the patient.
2. Currently, the EHR Standards do not clearly specify the bodies and individuals who would be subject to the requirements under this document. A definition similar to that of "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) could be used [5].

Privileges of Patient

Currently, the privileges of the patient include the rights to inspect and view their medical records. Further, the patient can request a healthcare organization that stores/maintains their medical records, to withhold specific information that they do not want disclosed to other

organizations or individuals. Also, patients can demand information from a healthcare provider on the details of disclosures performed on the patient's medical records [6].

Comments:

1. Currently, the EHR Standards only refer to "medical records" as being available for inspection and review of the patients. This should be expanded to also include information about enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan; or Other records that are used, to make decisions about individuals by healthcare providers or other bodies [7].
2. The EHR standards do not currently stipulate that the upon request by a patient, healthcare providers must exercise timeliness in providing the information to them. A time-limit such 30 calendar days should be clearly stated within which the healthcare provider must process the request.
3. The right of patients to request information from a healthcare provider on the details of disclosures should include within its scope the rights to receive the date of the disclosure; the name and address of the entity or person who received the information; a brief description of the medical information disclosed; and; a brief summary of the purpose of the disclosure [8].
4. A right to seek amendment of the one's medical records should also be provided to patients in cases where the information is incomplete.

Patient Identifying Information

Under the Standards, Personal identifiers include the following: Name, Address (all geographic subdivisions smaller than street address, and PIN code) All elements (except years) of dates related to an individual (including date of birth, date of death, etc.), Telephone, cell (mobile) phone and/or Fax numbers, Email address, Bank Account and/or Credit Card Number, Medical record number, Health plan beneficiary number, Certificate/license number, Any vehicle or other any other device identifier or serial numbers, PAN number, Passport number, AADHAAR card, Voter ID card, Fingerprints/Biometrics, Voice recordings that are non-clinical in nature, Photographic images and that possibly can individually identify the person, Any other unique identifying number, characteristic, or code [9].

Comments:

The above mentioned list is not adequate and exhaustive such as the definition and scope of Protected Health Information under the HIPAA [10]. The following identifiers must be included within the scope of Patient Identifying Information: Device identifiers and serial numbers, Web Universal Resource Locators (URLs), Internet Protocol (IP) address numbers.

Disclosure of Protected/Sensitive Information

The EHR Standards state that disclosure of protected/sensitive information for use in treatment, payments and other healthcare operations must be only done after obtaining a general consent of the patient. On the other hand, disclosures for for non-routine and most non-health care purposes must be done only after obtaining the specific consent of the patient. Only for certain specified national priority activities, such as notifiable/communicable diseases, it is stated that "the health information may be disclosed to appropriate authority as mandated by law without the patient's prior authorization."

Comments:

1. The terms "specific consent" and "general consent" need to be clearly defined.
2. In cases of disclosures for for non-routine and most non-health care purposes, a written authorisation should be mandatory. It should be clearly specified that a healthcare provider may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization.
3. There is confusion due to the use of numerous terms such as "health information", "protected health information", "sensitive personal data", "personal information" and "protected/sensitive information" in the EHR Standards for the same purpose. Some of these above terms are defined while the others are not. In order to remove the ambiguity caused due to this, it is recommended that the term "protected health information" is used throughout the document.
4. All bodies dealing with medical data should be required to abide by the principle of "data minimisation" in use and disclosure. They must take reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
5. For internal uses, healthcare providers and other entities must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.

Amber Sinha,
Centre for Internet and Society,
No. 194, 2nd 'C' Cross,
Domlur, 2nd Stage,
Bengaluru, 560071

We at the Centre for Internet and Society are grateful for the opportunity to comment on the draft new ICANN by-laws. Before we comment on specific aspects of the Draft by-laws, we would like to make a few general observations:

Broadly, there are significant differences between the final form of the by-laws and that which has been recommended by the participants in the IANA transition process through the ICG and the CCWG. They have been shown to be unnecessarily complicated, lopsided, and skewed towards U.S.-based businesses in their past form, which continues to reflect in the current form of the draft by-laws.

The draft by-laws are overwrought, but some of that is not the fault of the by-laws, but of the CCWG process itself.  Instead of producing a broad constitutional document for ICANN, the by-laws read like the worst of governmental regulations that go into unnecessary minutiae and create more problems than they solve. Things that ought not to be part of fundamental by-laws — such as the incorporating jurisdiction of PTI, on which no substantive agreement emerged in the ICG — have been included as such.

Simplicity has been seen as a sin and has made participation in this complicated endeavour an even more difficult proposition for those who don’t choose to participate in the dozens of calls held every month. On specific substantive issues, we have the following comments:

Jurisdiction of ICANN’s Principal Office

Maintaining by-law Article XVIII, which states that ICANN has its principal office in Los Angeles, California, USA, these Draft by-laws make an assumption that ICANN’s jurisdiction will not change post transition, even though the jurisdiction of ICANN and its subsidiary bodies is one of the key aspects of post transition discussion to be carried out in Work Stream 2 (WS2). Despite repeated calls to establish ICANN as an international community based organisation (such as the International Red Cross or International Monetary Fund), the question of ICANN's future jurisdiction was deferred to WS2 of the CCWG-Accountability process. All of the new proposed by-laws have been drafted with certainty upon ICANN's jurisdiction remaining in California. Examples of this include the various references to the California Civil Code in the by-laws and repeated references to entities and structures (such as public benefit corporations) in the fundamental by-laws of the ICANN that can only be found in California.

This would make redundant any discussion in WS2 regarding jurisdiction, since they cannot be implemented without upending the decisions relating to accountability structures made in WS1, and embedded in the by-laws.

CIS suggests an provision expressly be inserted in the by-laws to allow changes to the by-laws in WS2 insofar as matters relating to jurisdiction and other WS2 issues are concerned, to make it clear that there is a shared understanding that WS2 decisions on jurisdiction are not meant to be redundant.

Jurisdiction of the Post-Transition IANA Authority (PTI)

The structure of the by-laws and the nature of the PTI in Article 16 make its Californian jurisdiction integral to the very organisation as a whole and control all its operations, rights and obligations. This is so despite this issue not having been included in the CWG report (except for footnote 59 in the CWG report, and as a requirement proposed by ICANN’s lawyers, to be negotiated with PTI’s lawyers, in Annex S of the CWG report).  The U.S. government’s requirement that the IANA Functions Operator be a U.S.-based body is a requirement that has historically been a cause for concern amongst civil society and governments.  Keeping this requirement in the form of a fundamental by-law is antithetical to the very idea of internationalizing ICANN, and is not something that can be addressed in Work Stream 2.

CIS expressed its disagreement with the inclusion of the U.S-jurisdiction requirement in Annex S in its comments to the ICG. Nothing in the main text of the CWG or ICG recommendations actually necessitate Californian jurisdiction for the PTI.  Thus, clearly the draft by-laws include this as a fundamental by-law despite it not having achieved any form of documented consensus in any prior process. This being a fundamental by-law would make shifting the PTI’s registered and principal office almost impossible once the by-laws are passed.

No reasoning or discussion has been provided to justify the structure, location and legal nature of the PTI. The fact that the revenue structure, by-laws and other details have not even been hinted at in the current document, indicate that the true rights and obligations of PTI have been left at the sole discretion of the ICANN while simultaneously granting it fundamental by-law protection. This is not only deeply problematic on front of delegation of excessive responsibility for a key ICANN function without due oversight but also leads to situation where the community is agreeing to be bound to a body whose fundamental details have not even been created yet, and yet is a fundamental by-law.

CIS would therefore suggest that the PTI related clauses in the by-laws be solely those on which existing global Internet community consensus can be shown, and the PTI’s jurisdiction is not something on which such consensus can be shown to exist.  Therefore the by-laws should be rewritten to make them agnostic to PTI’s jurisdiction. Further, CIS suggests that the law firm appointed for PTI be non-American, since U.S.-based law firms capable law firms in Brazil, France, and India.

We would also like to note that we have previously proposed that PTI’s registered office and ICANN’s registered office be in different jurisdictions to increase jurisdictional resilience against governmental and court-based actions.

Grandfathering Agreements Clause

A fair amount of discussion has taken place both in the CCWG mailing list about Section 1.1 (d)(ii), which concerns the inclusion of certain agreements into the scope of protection granted to ICANN from its Mission and Objective statement goals. CIS largely agrees with the positions taken by the IAB and CCWG in their comments of demanding the removal of parts B, C, D E and F of Section 1.1(d)(ii) as all of these are agreements that were not included in the scope of the CCWG Proposal and a fair few of these agreements (such as the PTI agreement) have not even been created yet. This leads to practical and legal issues for the ICANN as well as the community as it restricts possible accountability and transparency measures that may be taken in the future.
CIS as its suggestion therefore agrees with the IAB and CCWG in this regard and supports the request by them that demand by these grandfathering provisions be removed.

Inspection Rights

Section 22.7 severely limits the transparency of ICANN’s functioning, and we believe it should be amended.

(a) It limits Inspection Requests to Decisional Participants and does not allow for any other interested party to make a request for inspection.  While the argument has been made that Californian law requires inspection rights for decisional participants, neither the law nor CCWG’s recommendations require restricting the inspection rights to decisional participants. CIS’s suggestion is to allow for any person in the public to make a request for examination, but to have to declare the nature of the public interest behind requests for non-decisional participants, so that an undue number of requests are not made for the purpose of impairing the operations of the organisation.

(b) The unclear but extremely limited definition of ‘permitted scope’, which does not allow one to question any ‘small or isolated aspect’ of ICANN’s functioning, where there is no explicit definition of what constitutes the scope of matters relevant to operation of ICANN as a whole, leaving a loophole for potential exploitation. CIS suggests the removal of this statement and to allow only for limitations listed in Section 22.7 (b) for Inspection Requests.

(3) There is no hard deadline provided for the information to be made available to the querying body, thus allowing for inordinate delays on the part of the ICANN, which is open to abuse. CIS suggests the removal of the clause ‘or as soon as reasonably practicable thereafter’ in this section.

(4) The need for insisting that the material be used only for restricted purposes. CIS suggests that as a step towards ICANN’s transparency, it is essential that they allow the use of the information for any reason deemed necessary by the person demanding inspection. There is no clear reason to require restriction to EC proceedings for non-confidential material.  This requirement should be removed.

Work Stream 2 Topics

Section 27.2, which covers necessary topics for WS2, currently does not include key aspects such as PTI documents, jurisdictional issues, etc. In this light, we suggest that they be included and a clause be inserted to indicate that this list of topics is indicative and the CCWG can expand the scope of items to be worked on in WS2 as well as make changes to work completed in WS1 (such as these by-laws) to meet WS2 needs as well.

FOI-HR

Section 27.3 (a) requires the FOI-HR to be approved by "(ii) each of the CCWG-Accountability’s chartering organizations..” which is inconsistent with the CCWG proposal that forms the basis for these by-laws. The requirement of formal approval from every Chartering Organisation in the current draft is inconsistent with Annex 6 of the CCWG proposal, that has no such requirement.

CIS strongly advocates for a change in the bylaw text to align with the intent of the CCWG Accountability report, and to reflect that the process of developing the FOI-HR shall follow the same procedure as Work Stream 1.

Contracts with ICANN

Section 27.5 currently states that “Notwithstanding the adoption or effectiveness of the New by-laws, all agreements, including employment and consulting agreements, entered by ICANN shall continue in effect according to their terms.”

As the section currently stands, there is a possibility that prior to the creation of by-laws, agreements that may be in contravention of the by-laws may be brought forth intentionally before the commencement of the operation of ICANN’s Mission statement in the said by-laws. The clause may be updated as follows to avoid this —

“Notwithstanding the adoption or effectiveness of the New by-laws, all agreements, including employment and consulting agreements, entered by ICANN shall continue in effect according to their terms, provided that they are in accordance with ICANN’s Mission Statement.”

The article was published in the Wire on May 14, 2016.

Politics and censorship

Two kinds of defamation actions have emerged to capture popular attention. First, political interests have adopted defamation law to settle scores and engage in performative posturing for their constituents. And, second, powerful entities such as large corporations have exploited weaknesses in defamation law to threaten, harass, and intimidate journalists and critics.

The former phenomenon is not new. Colonial India saw an explosion of litigation as traditional legal structures were swept away and native disputes successfully migrated to the colonial courts. These included politically-motivated defamation actions that had little to do with protecting reputations. In fact, defamation litigation has long become an extension of politics, in many cases a new front for political manoeuvring.

The latter type of defamation action is far more sinister. Powerful elites, both individuals and corporations, have cynically misused the law of defamation to silence criticism and chill the free press. By filing excessive and often unfounded complaints that are dispersed across the country, which threaten journalists with imprisonment, powerful elites frighten journalists into submission and vindictively hound those who refuse to back down. Such actions are called Strategic Lawsuits against Public Participation (SLAPPs) which Rajeev Dhavan warns have created a new system of censorship.

Petitions and politicians

Defamation originates from the concept of scandalum magnatum – the slander of great men – which protected the reputations of aristocrats. The crime was linked to sedition, so insulting a lord was akin to treason. In today’s neo-feudal India, political leaders are contemporary aristocrats. Investigating them can invite devastating consequences, even death. Most of the time, they retaliate through defamation law. Since the criminal justice system is most compromised at its base, where the police and magistrates directly interact with people, the misuse of criminal defamation law hurts ordinary citizens.

This is different from politicians prosecuting each other since they rarely, if ever, suffer punishment. Of all the petitions before the Supreme Court concerning the decriminalisation of defamation, the three that received the most news coverage were those of Subramanian Swamy, Rahul Gandhi, and Arvind Kejriwal. They are all politicians, their petitions were made in response to defamation complaints filed by rival politicians. On the other hand, there are numerous cases which politicians have filed against private members of civil society to silence them. When presented with these concerns, the Supreme Court simply failed to seriously engage with them.

The architecture of defamation

Defamation has many species, a convoluted history, and complex defences. Defamation can be committed by the spoken word, which is slander, or the written word, which is libel. The historical distinction between these two modes of defamation is based on the permanence of written words. Before the invention of the printing press, the law was chiefly concerned with slander. But as written ideas proliferated through mass publication technologies, libel came to be viewed as more malevolent and the law visited serious punishments on writers and publishers.

Such a distinction presumes a literate readership. In largely illiterate societies, the spoken word was more potent. This is why films and radio have long attracted censorship and state control in India. Before mass publishing forked defamation into libel and slander, there existed only the historical crime of libel. Historical libel had four species: seditious libel, blasphemous libel, obscene libel, and defamatory libel.

Seditious libel, which has been repealed in Britain, prospers in India as the offence of sedition which is criminalised by section 124A of the IPC. Blasphemous libel, repealed in Britain, fares well in India as the offence of blasphemy under section 295A of the IPC. Obscene libel, as the offence of obscenity, is criminalised by section 294 of the IPC. And defamatory libel, repealed in Britain, which is the offence of criminal defamation that the Subramanian Swamy case upheld, continues to exist under section 499 of the IPC.

Confusing harms

Of the many errors that litter the Supreme Court’s May 13, 2016 judgment in the Subramanian Swamy case, perhaps the most egregious is the failure to recognise the harm that criminal defamation poses to a healthy civil society in a free democracy. At the crux of this mistake is the Supreme Court’s failure to distinguish between private injury and social harm. Two people may, in their private capacities, litigate a civil suit to recover damages if one feels the other has injured her reputation. This private action of defamation was not in issue before the court.

On the other hand, by criminalising defamation, why should the state protect the reputations of individuals while expending public resources to do so? This goes to the concept of crime. When an action is serious enough to harm society it is criminalised. Rape strikes at the root of public safety, human dignity, equality, and peace, so it is a crime. A breach of contract only injures the party who was expecting the performance of contractual duties; it does not harm society, so it is not a crime. Similarly, a loss of reputation, which is by itself difficult to quantify, does no harm to society and so it should not be a crime.

Truth and the public good

It may be argued, and the Supreme Court hints, that at its fundament, society is premised on the need for truth; so lies should be penalised. This is where defamation law wanders into moral policing. In Indian and European philosophies, truth is consecrated as a moral good. The Supreme Court quotes from the Bhagavad Gita on the virtue of truth. But while quotes like these are undoubtedly meaningful, they have no utility in a constitutional challenge. In reality, society is composed of truth, lies, untruths, half-truths, rumour, satire, and a lot more. In fact, the more shades of opinion there are, the livelier that society is. So lies should not invite criminal liability.

If we concede the moral debate and arrive at a consensus that the law must privilege truth over lies, then truth alone should be a complete defence to defamation. If the law criminalises untruth, then it must sanctify truth. That means when tried for the crime of defamation, a journalist must be acquitted if her writing is true. But the law and the Supreme Court require more. In addition to proving the truth, the journalist must prove that her writing serves the public good. So speaking truth is illegal if it does not serve the public good.

In fact, truth has only recently been recognised as a defence to defamation, albeit not a complete defence. This belies the social foundations of criminal defamation law. The purpose of the offence is not to uphold truth, it is to protect the reputations of the powerful. But what is reputation? The Supreme Court spends 25 pages trying to answer this question with no success. Instead, the court declares that reputation is protected by the right to life guaranteed by Article 21 of the Indian Constitution but it offers no sound reasoning to support this claim. The court also fails to explain why the private civil action of defamation is insufficient to protect reputation.

The constitution and constitutionalism

There are two core constitutional questions posed by the Subramanian Swamy case. They are:

• Does the crime of defamation fall within one of the nine grounds listed in Article 19(2) of the constitution; and
• Are sections 499 and 500 of the IPC which criminalise and punish defamation reasonable restrictions on the right to free speech?

Article 19(2) contains nine grounds in the interests of which a law may reasonably restrict the right to free speech. Defamation is one of the nine grounds, but the provision is silent as to which type of defamation, civil or criminal, it considers. However, B.R. Ambedkar’s comments in the Constituent Assembly arguably indicate that criminal defamation was intended to be a ground to restrict free speech.

The answer to the second question lies in measuring the reasonableness of the restriction criminal defamation places on free speech. If the restriction is proportionate to the social harm caused by defamation, then it is reasonable. However, restating an earlier point, criminalising defamation serves no legitimate public purpose because society is unconcerned with the reputations of a few individuals. Even if society is concerned with private reputations, the private civil action of defamation is more than sufficient to protect private interests. Further, the danger that current criminal defamation law poses to India’s free speech environment is considerable. Dhavan says: “Defamation cases [are] a weapon by which the rich and powerful silence their critics and censor a democracy.”

The Subramanian Swamy case highlights several worrying trends in India’s constitutional jurisprudence. The judgment is delivered by one judge speaking for a bench of two. Such critically significant constitutional challenges cannot be left to the whims of two unelected and unaccountable men. Moreover, from its position as the guarantor of individual freedoms, the Supreme Court appears to be in retreat. This will have far-reaching and negative consequences for India’s citizenry. If the court fails to enhance individual freedoms, what is its constitutional role? The judiciary would do well to stay away from policy mundanities and focus on promoting India’s democratic project, lest it injure its own reputation.

The article by Rohini Lakshané was published in Gender IT.org on May 19, 2016. This was also mirrored by Feminism in India on January 9, 2017.

The incident had spurred protests across the country and made international headlines. Along with all this came a slew of new “women’s safety” apps. Existing ones, many of which had fizzled out, were conveniently relaunched. My own experience of user-testing such apps in India back then was that they were unreliable at best and dangerously counterproductive at worst. Some of them were endorsed by governments and celebrities and ended up being glorified despite their flaws, their technical and systemic handicaps never acknowledged at all.

There are myriad mobile phone apps meant to be deployed for personal safety, but their basic functioning is more or less the same: the user activates the app (by pressing a button, shaking the device or similar cue), which sends a distress message containing the users’ location to pre-defined contacts. Some apps include additional artefacts such as a short audio or video recording of the situation. Some others augment this mechanism by alerting the police and other agencies best placed to respond to the emergency. For example, the Companion app for students living on campus notifies the university along with police. The SOS buttons in taxi-hailing apps such as Uber enable the user’s contacts to follow the cab’s GPS trail and notify them and the cab company’s “incident response team” of emergencies. Apps such as Kitestring would treat the lack of the user’s response within a time-window as the trigger for a distress message. All their technical wizardry perhaps makes it easy to lose sight of the fact that technology is not a saviour but a tool or an enabler, that technology alone cannot be the panacea of a problem that is deeply complex and, in reality, rooted in society and governance.

The Indian government announced last month that every phone sold in the country from January 2017 should be equipped with a panic button that sends distress flares to the police and a trusted set of contacts. Nearly half the phones sold in India cost USD 100 or less. Prices are kept so low by sacrificing features and the quality of the hardware; there are a lot of phones with substandard GPS modules, poor touchscreens, slow processors, bad cameras, tiny memory, and dismal battery life. They run on different versions of different operating systems, some of them outdated. All of these factors would determine if someone is able to use the app at all and how quickly they and their phone would be able to respond to an emergency. Additionally, mobile phone signals become thin or shaky in areas with a high number of users and buildings located cheek-by-jowl. Even when the mobile hardware is good and the mobile signal usable, GPS accuracy can be spotty and constant location tracking would hog battery. These issues would affect the efficacy of any app. Besides, there is too much uncertainty for an app developer to factor in. (Two years ago, I learnt about an app called Pukar, then operational in collaboration with police departments in four cities in India. Pukar solved the problem of potential inaccuracy of the GPS location by getting the user’s contacts to tell the police where the person in distress might be.) Designing a one-size-fits-all safety app is almost impossible. The app that rings a loud alarm when triggered may save someone’s life or spoil the chances of someone who is trying to get help while hiding. Different people may be vulnerable to different kinds of distress situations and an app can at best be optimised for some target user groups.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea.

In the end, the “technical” problems may actually be problems of economic disparity. Making it mandatory for people to own phones equipped with certain hardware or requiring them to upgrade to more reliable devices would drive the phones out of the financial reach of many. Indian manufacturers have expressed concerns that the proposed panic button would raise costs for them as well the end buyers. Popularising a downloadable app and informing its target users how to install and work it correctly needs a marketing blitzkrieg, which is something only the state or well-funded developers can afford. The New Delhi police department runs a dedicated control room for reports arriving from its safety app, Himmat (the word for courage in many Indian languages). It’s an expensive affair.

An app that does not work in tandem with existing machinery for law enforcement and public safety is a bad idea. It puts the onus of “keeping women safe” on members of their social circles or on intermediaries and private parties such as cab companies, while absolving law enforcement agencies of their failing to provide security. It opens doors to victim blaming in case someone is unable to use the app at the right time in the right way, or if the app fails.

On the contrary, an app that does loop in the police raises concerns about surveillance and protection of data available to the police, which is especially problematic in places such as India where there is no law for privacy or data protection. Alwar, one of the cities where Pukar was implemented, is super-populated with a large geographical area and a high crime rate. Police departments in such places tend to be overworked and understaffed. Without significant policing reforms, it is questionable whether they will be able to respond in time. A sting operation done by two media outlets on 30 senior officials of the New Delhi police department in 2012 showed the cops blaming victims of sexual violence with gay abandon. “If girls don't stay within their boundaries, if they don't wear appropriate clothes, then naturally there is attraction. This attraction makes men aggressive, prompting them to just do it [sexual assault]," reads one of their nuggets. “It's never easy for the victim [to complain to the police]. Everyone is scared of humiliation. Everyone's wary of media and society. In reality, the ones who complain are only those who have turned rape into a business," goes another. An app that lets known people monitor someone’s location also poses the risk of abuse, coercion and surveillance by intimate partners or members of the family.

Unfortunately, there is no app for reforming a morass in law enforcement or dismantling patriarchy.

The article was published in the Indian Express on May 8, 2016.

Facebook is worried. Even though usage is growing, something strange is happening on the social network. For the first time since it started its journey as a website to rate datable people on college campuses, to becoming the global reference point that defined friendship in the connected age, people are sharing less personal information on Facebook. For a social media network that positions itself largely as a space where our everyday, banal doings become newsworthy articulations, this is surprising news. But it is true. On Facebook, the traffic is high, but most of it is now sharing of external information. People are sharing links to news, to listicles, to videos, to blogs entries, to pictures and to information that they find interesting, but they are writing less and less about what it is that they are doing and feeling.

Ironically, this coincides with the latest change in Facebook’s “response” options, where the ubiquitous “Like” button can now expand to other emojis where you can also be appropriately angry, sad, surprised, or happy about the shared content. Even as Facebook is trying to get its users to qualify how they feel and give emotional value to their likes, people seem to be sharing even less of their private lives on Facebook.

One of the key ways of understanding this drop in people sharing their personal information is through the concept of “context collapse”. It has been a concern since the first instances of disembodied digital communication. In our everyday life, we make sense of information based on the different contexts that surround us. The person who authors the information, the setting within which that information reaches us, the emotional state that we are in when encountering the information, our sense of where we are when processing it, and the preparedness we have for receiving this information are all crucial parameters by which we make sense of the meaning of the information and also our response to it.

In the case of Facebook, the context within which information and transactions have made sense is “friendship”. The site’s USP was that you could bring in a variety of information, but you were always sharing it with friends. You could have a large audience, but this audience is formed of people you know, people you trust, people you add to your friend groups — there is a sense of intimacy, privacy, and casualness that marks the flow of information. You are able to talk, in an equal breath, about what you had for breakfast, your crush on a celebrity, your random acts of charity, and your strong political rant, one after the other, without requiring to think about what you are posting and how others will receive it.

However, Facebook is not really a friendship platform. It is a company interested in selling our interactions and data to advertisers who can target us with content and information based on the patterns of our behaviour. To serve its advertisers better, Facebook started privileging “verified” information trying to ensure news and content producers higher attention and more eyeballs. This was further strengthened by their continued integration with third party vendors, who could push and pull information into the social world of Facebook, and is seen as one of the biggest reasons for this drop. Any newsfeed in the last few months has had equal amounts of professional and amateur content, leading to a context collapse, where you no longer feel like your Facebook feed is a private and intimate conversation with friends.

Similarly, Facebook’s expansive integration of its products —WhatsApp chats, Instagram updates, and Tumblr posts all can collapse into one — produced a confusing space where the personal information that you were once happy to share with your friends, is suddenly being shared along with news and information. Also, digital behaviour works on mirroring, and we often shape our updates to match what we see on our timelines. If we more and more see external content rather than personal statuses, we also start sharing more third party news and links, thus producing a domino effect of everybody shying away from extremely personal or intimate moments.

Facebook, for the millennials, has been the context within which friendship got structured. Its own transitions have now collapsed that context, leading people to think of it as a content aggregator. It is going to be interesting to see what happens to our digital friendships and networks if Facebook is no longer the space where they are housed.

The article was published in the Indian Express on April 17, 2016.

It took me some time to trust the cloud. Growing up with digital technologies that were neither resilient nor reliable — a floppy drive could go kaput without you having done anything, a CD once scratched could not be recovered, hard drives malfunctioned and it was a given that once every few months your PC would crash and need a re-install — I have always been paranoid about making backups and storing information. Once I kicked into my professional years, I developed a foolproof, albeit paranoid, system, where I backed up my machines to a common hard drive, made a mirror image of that hard drive, and for absolutely crucial documents, I would put them on to a separate DVD which would have the emergency documents. It was around 2006, when I discovered the cloud.

It began with Google’s unlimited email accounts where you could mail information to yourself and then it would stay there for a digital eternity. I noticed that the size of my digital storage began decreasing. I no longer download videos I find on the web. I don’t save information on a device and I have come to think of the web as one large cloud, relying on the fact that if something is online once, it will always be available to me.

However, over the last couple of months, I have started noticing something different in my usage patterns. These days, when I do come across interesting information, instead of merely indexing it, I find myself making an offline copy of that information. Tweets enter a Storify folder. YouTube videos get downloaded. I make PDF copies of blogs and take screenshots of digital medial updates. I have been wondering why I am suddenly so invested in archiving the web when, theoretically, it is always there.

When I voiced this to a group of young students, I was surprised to hear that I wasn’t alone. The web is becoming a space that is crowded with take-downs, deletions, removals, and retractions which leave no archival memory. The students quickly pointed out that these take-downs are not just personal redactions. In fact, what we personally choose to remove has very little chances of actually disappearing from the web. Instead, these are things that are removed by governments, private companies and intermediaries who are being largely held liable for the content of the information that they make available.

Turkey, recently, demanded that German authorities remove a satirical German video titled Erdowie, Erdowo, Erdogan mocking their President. In response, Germany reminded the Turkish diplomacy of that lovely little thing called freedom of speech, and in the meantime, Extra 3, the group that had released the video on YouTube, added English subtitles to the video. Just for perks. I hope you gave a brownie point to Germany, even as you scrambled to see the video.

On the home front, though, things are not as celebratory. The minister of state for information and broadcasting, Rajyavardhan Rathore, and the head of the BJP’s information and technology cell, Arvind Gupta, have called for action against journalist Raghav Chopra who tweeted a photoshopped image of PM Narendra Modi bending down to touch the feet of a man dressed in Saudi Arabia’s national dress, to make a political comment about the PM’s recent visit to SA.

The two politicos, who have not had much to say about the doctored videos that were used to convict innocent students in JNU or the photoshopping that the government’s Press Information Bureau had indulged in to give us that iconic image of the prime minister doing an aerial survey of #ChennaiFloods, have taken umbrage against an image because it seems (obviously) false, and are demanding its takedown.

My proclivity for saving things offline is perhaps fuelled by this web of partisan censorship and the atmosphere of precarious hostility that governments seem to be supporting. Increasingly, we have seen, in India and around the globe, a rush of political power that exercises its clout to remove information, images and stories that they do not approve of.

Instinctively, I am reacting to the fact that intellectual questioning or cultural critique is being removed from the web at the behest of these vested powers, and that the cloud, light and airy as it sounds, is prone to some incredible acts of censorship and removal. I have found myself facing too many removal notices and take-down errors when trying to revisit bookmarked sites, that I am beginning to feel that the only way to keep my information safe might be to archive the whole web on a personal server.

The article was published in Indian Express on April 3, 2016.

This is the story of a broken Kindle. A friend sent a message to a WhatsApp group that I belong to that she is mourning the loss of her second-generation Kindle, that she bought in 2012, and since then had been her regular companion. It is not the story of hardware malfunction or a device just giving up. Instead, it is a story of how quickly we forget the old technologies which were once new. The friend, on her Easter holiday, was visiting her sister, who has a six-year-old daughter.

This young one, a true digital native, living her life surrounded by smart screens, tablets, phones, and laptops, instinctively loves all digital devices and plays with them. In her wanderings through her aunt’s things, she came across the old Kindle — unsmart, without a touch interface, studded with keys, not connected to any WiFi, and rendered in greyscale. It was an unfamiliar device. But with all the assurance of somebody who can deal with digital devices, she took it in her hands to play with it.

Much to her dismay, none of the regular modes of operation worked. The old Kindle did not have a touch screen operated lock. It wasn’t responding to scroll, swipe and pinch. It had no voice command functions. As she continued to cajole it to come to life, it only stared at her, a lock on the digital interface, refusing to budge to the learned demands and commands of the new user. After about 20 minutes of trying to wake the Kindle up, she became frustrated with it and banged it harshly on the table, where it cracked, the screen blanked out and that was the end of the story.

Or rather, it is the beginning of one. As my friend registered the loss of her clunky, clumsy, heavy, non-intuitive Kindle, and messages of grief poured in, with the condolence that the new ones are so much better and the assurances that at least all her books are safe on the Amazon cloud, I see in this tale, the quest of newness that the digital always has to offer.

If it has missed your attention, the digital is always new. Our phones get discarded every few seasons, even as phone companies release new models every few months. Our operating systems are constantly sending us notifications that they need to be updated. Our apps operate in stealth mode, continuingly adding updates where bugs are fixed and features are added. Most of us wouldn’t know what to do if we were faced with a computer that doesn’t “heal”, “backup” or “restore” itself. If our lives were to be transferred back to dumb phones, or if we had to deal with devices that do not strive to learn and read us, it might lead to some severe anxiety.

The newness that the digital offers is also found in our socially mediated lives. Our digital memories are short-lived — relationships rise and fall in the span of days as location-based dating apps offer an infinite range of options to choose your customised partner; celebrities are made and unmade overnight as clicks lead to viral growth and then disappear to be replaced by the next new thing; communities find droves of subscribers, only to become a den of lurkers where nothing happens; must-have apps find themselves discarded as trends shift and new must-haves crop up overnight. Breathless, bountiful and boundless, the digital keeps us constantly running, just to be in the same place, always the same and yet, always new.

We would be hard pressed to remember that magical moment when we first discovered a digital object. For millennials, the digital is such a natural part of their native learning environments that they do not even register the first encounter or the subsequent shifts as they navigate across the connected world. Increasingly, we tune ourselves to the temporality and the acceleration of the digital, tailoring our memories to what is important, what is now, and what is immediately of use, excluding everything else and dropping it into digital storage, assured in our godlike capacities to archive everything.

This affordance of short digital memories is enabled partly by the fact that we are subject to information overload, but partly also to the fact that our machines can now remember, more accurately and more robustly than the paltry human, prone to error and forgetfulness. With the digital, memory becomes equated with storage, and the more we commit to storage, the more we free ourselves from the task of remembering.

The broken Kindle is a testimony not only to the ways in which we discard old devices but also our older forms of individual and collective memory — quickly doing away with information that is not of the now, that is not urgent, and that does not have immediate use value. My friend’s Kindle got replaced in two days. All her books were re-loaded and she was set to go. However, as she told me in a chat, she is not going to throw away her old broken Kindle. Because she wants to remember it — remember the joy of reading her favourite books on it. She is scared that if she throws it away, she might forget.

The article was published in the Indian Express on March 20, 2016.

“You are supposed to write about the internet, why do you keep talking about all this politics?” I was taken aback when I was faced with this question. It is true – since the year has begun, I have talked about digital education and the ways in which it needs to account for unexpected and underserved communities, about net neutrality and why the Indian government needs to build a stronger, safer, and a more inclusive digital ecosystem. I have written about freedom of speech and expression and how this is going to be the year when we stand together to save the internet from vested interests that seek to convert it from a public commons into a private commodity.

In my head, all these questions — of inclusion, of access, of presence, of rights — are questions of human life and living, but they are also those that are being hugely restructured by the internet and digital technologies. When faced with the query, I was reminded of a deep-seated division that has been at the heart of digital cultures.

Way back in the ’90s, when the internet was still a space of science fiction and the World Wide Web was in its nascent stages, there was a distinction made between Virtual Reality (VR) and Real Life (RL). The presumption in the construction of these categories was that the digital is only an escape, the technological is merely a prosthesis, and the internet is just a thing that a few geeks engaged with in their free time. However, the last three decades have made this distinction between VR and RL redundant.

We live in digital times. The digital is not just something we use strategically and specifically to do a few tasks. Our very perception of who we are, how we connect to the world around us, and the ways in which we define our domains of life, labour, and language are hugely structured by the digital technologies. The digital is ubiquitous and hence, like air, invisible. We live within digital systems, we live with intimate gadgets, we interact through digital media, and even though we might all be equally digital natives, there is no denying the fact that the very presence and imagination of the digital has dramatically restructured our lives. The digital, far from being a tool, is a condition and context that defines the shapes and boundaries of our understanding of the self, the society, and the structures of governance.

The pervasive nature of the digital technologies and internet can be found at multiple levels. For instance, we do not think about going online anymore, because most of our devices are connected 24×7 to the digital web. Even when we are not online, sunk in a bad network connection, or protecting our precious data usage, we know that our avatars and digital identities are online and talking without us.

So established is this phenomenon that we even have a name for the anxiety it creates: FOMO — the Fear Of Missing Out. Similarly, the digital can be located at the level of human understanding. We are used to thinking of ourselves as digital systems. We talk about our primary identity as one marked by information overload. We often complain, when faced with too many demands on our time and space, that we don’t have enough bandwidth to deal with new problems, and we are not referring to digital connectivity.

The digital also has space at the level of policy and governance. If you, like the many millions of Indians, have registered for an Aadhaar card, you have already been marked by a digital identity whether or not you have broadband access. When our government launches Digital India campaigns, it is not merely about an economic model of growth, but it is suggesting that the digital is going to be at the foundations of the new India that we want to build for the future.

If the digital is so central to our fundamental understanding of the self, the society, and the state, then surely it is time to stop thinking that these technologies have nothing to do with politics? There remains a forced imagination of technologies as devices, as tools, as prostheses which do not have any other role than the performing of a function. However, this is a fallacy, because not only do technologies shape our sense of who we are, but they also prescribe new templates and models of who we are going to be. In the process, these technologies take political action, create social structures, mobilise cultural possibilities, and often, because they are technologies that are still elite and available to the privileged few in the country, they enable decisions which are not always fair, open, and just.

Hence, a technological decision cannot be read merely as a technical decisions but as human decisions. To speak of technology is to speak of human life and living. To write about technology is to write about politics, because a separation between the two is not only futile but downright dangerous.

Comments on the Draft Geospatial Information Regulation Bill, 2016

by the Centre for Internet and Society

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the draft Geospatial Information Regulation Bill, 2016 (“the draft bill” / “the proposed bill” / “the bill”).

2. Centre for Internet and Society

2.1. The Centre for Internet and Society is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from the perspectives of policy and academic research. The areas of focus include accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding the public interest, and particularly the representing the interests of ordinary citizens and consumers. The comments in this submission aim to further the principles of people’s right to information regarding their own country, openness-by-default in governmental activities, freedom of speech and expression, and the various forms of public good that can emerge from greater availability of open (geospatial) data created by both public and private agencies, and the innovations made possible as a result.

3. Comments

3.1. General Remarks

3.1.1. While CIS welcomes the intentions of the government to prevent use of geospatial information to undermine national security, the proposed bill completely fails to do so, infringes upon Constitutional rights, harms innovation, undermines the national initiatives of Digital India and Startup India, is completely impractical and unworkable, and it will lead to a range of substantial harms if the government actually seeks to enforce it.

3.1.2. There are already laws in place that prevent the use of geospatial information to undermine national security. For instance, the Official Secrets Act, 1923 (“OSA”) already contains provisions — sections 3(2)(a), (b), and (c) — all of which would prevent a person from creating maps that undermine national security and would penalise their doing so. Section 5 of the OSA contains multiple provisions that penalise the possession and communication of maps that undermine “national security.” The penalties under the OSA range from imprisonment of up to 3 years all the way to imprisonment up to 14 years. Given this, there is absolutely no need to create yet another law to deal with maps that undermine “national security.” Indeed, it is the government’s stated policy to reduce the number of laws in India, whereas the proposed bill introduces a redundant new law that adds multiple layers of bureaucracy.

3.1.3. The National Mapping Policy, 2005, already puts in place restrictions on wrongful depictions of India’s international boundaries, and as we explain below in section 3.4 of this document, even the National Mapping Policy is over-broad. Even if the government wishes to provide statutory backing to the policy, it should be a very different law that is far more limited in scope, and restricts itself to criminalising those who misrepresent India’s international boundary with an intention to mislead people into thinking that that is the official boundary of India as recognised by the Survey of India. CIS would support a law of such limited scope and mandate, provided it has an appropriate penalty.

3.1.4. There would be much utility in a law that creates a duty on the Survey of India to make available, in the form of an open standard, an official electronic version of the maps that it creates, and expressly allows and encourages citizens and startups to reuse such official maps, however the Ministry of Home Affairs would not be the nodal ministry for such a law.

3.1.5. We recommend that the proposed law be scrapped in its entirety.

3.1.6. We additionally provide an alternative manner of reducing the harms caused by this bill, in our comments below. By no means should these further comments be seen as a repudiation of our above position, since we do not feel the proposed bill, even with the inclusion of all of our recommendations, would truly further its stated aims. All our below recommendations would do is to reduce the bill’s harmful, and often unintended, consequences.

3.2. Definition of “Geospatial Information” is over-broad, all- encompassing

3.2.1. The second part of the definition of “geospatial information” refers to all “graphic or digital data depicting natural or man-made physical features, phenomenon or boundaries of the earth or any information related thereto” that are “referenced to a co-ordinate system and having attributes.” (Section 2(1)(e)) As per the definition, this will include all geo-referenced information, and data, that is produced by everyday users as an integral part of various everyday uses of digital technologies. This will also include geo-referenced tweets and messages, location of public and private vehicles shared in the real-time with agencies tracking their location (from public transport authorities, to insurance agencies, etc.), location data of mobile phones collected and used by telecommunication service providers, location of mobile phones shared by the user with various kinds of service providers (from taxi companies to delivery agencies), etc.

3.2.2. We recommend that instead of regulating all kinds of geospatial information, and giving rise to a range of possible harms, the draft bill be revised to specifically address “sensitive geospatial information,” defined as geospatial information related to the “Prohibited Places” as defined in the Official Secrets Act 1923 (section 2(8)) which will allow the bill to effectively respond to its key stated concerns of ensuring “security, sovereignty and integrity of India.” Since the National Map Policy defines “Vulnerable Points” and “Vulnerable Areas” (para 3(b)) as the two main types of geospatial units associated with “Prohibited Places”, these terms should also be referred to in the revised version of the draft bill.

3.3. Unreasonable regulation of acquiring and end-use of geospatial information

3.3.1. Section 3 of the draft bill states that “[s]ave as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geospatial imagery or data including value addition” and “[e]very person who has already acquired any geospatial imagery or data ... including value addition prior to coming of this Act into effect, shall within one year from the commencement of this Act, make an application alongwith requisite fees to the Security Vetting Authority.” This effectively makes it illegal to acquire and maintain ownership of geospatial information that has not been subjected to security vetting.

3.3.2. This draft bill doesn’t apply just to geospatial information that may undermine national security but covers all manners of geospatial information and modern geospatial technologies embedded in everyday digital devices and intimately connected to various electronic products and services, from cars to mobile phones, result in the creation and acquiring of various kinds of geo-referenced information, ranging from the geo-referenced photographs to locations shared with friends. Even ordinary users who are unknowingly looking at maps that contain sensitive geospatial information, which are illegal under the Official Secrets Act, are committing an illegal act under the draft bill, because the users temporarily acquires such sensitive geospatial information in her/his digital device, as part of the very act of browsing the map concerned. This clearly cannot be the intention of the bill. Thus we recommend deletion of the word “acquire.”

3.3.3. Further, the insertion of the phrase “including value addition” in both Section 3(1) and 3(2) appears to suggest that all users who have created derivative products using geospatial information that includes sensitive data (that is data related to Prohibited Places) may be held liable under this draft bill, even if these users have not themselves collected or created such sensitive geospatial information, which was part of the original geospatial information published by the source map agency. This too cannot be the intention of the bill. Thus, we recommend deletion of the phrase “including value addition.”

3.3.4. In the definition of the “Security Vetting of Geospatial Information” itself, it is mentioned that the process will include “screening of the credentials of the end-users and end-use applications, with the sole objective of protecting national security, sovereignty, safety and integrity.” (Section 2(1)(o)) This appears to indicate that all end-users of all electronic and analog services and products using geospatial information will have to be individually vetted before such services and products are used, which would cover a large proportion of the Indian population. This imposes an enormous and impractical burden on the Indian digital economy in particular, and the entire national economy in general, without improving national security. This too cannot be the intention of the draft bill. Thus, we recommend deletion of this phrase, and ensure that end users are not covered by the law.

3.3.5. Given these specific characteristics of how modern geospatial technologies work, and how they provide a basis for various kinds of everyday use of electronic products and services, we would like to submit that the regulatory focus should be on large-scale and/or commercial dissemination, publication, or distribution of geospatial information, and not on the acts of acquiring, possessing, sharing, and using geospatial information. Further, the regulation in general should be aimed at the party owning the geospatial information in question, and not at the parties involved in its dissemination (say, Internet Service Providers) or in its generation or use (say, end-users).

3.4. Removal of journalistic, political, artistic, creative, and speculative depictions of India from the scope of Section 6

3.4.1. Section 6 of the draft bill states that “[n]o person shall depict, disseminate, publish or distribute any wrong or false topographic information of India including international boundaries through internet platforms or online services or in any electronic or physical form.” Section 15 imposes a penalty for such wrong depiction of maps of India.

3.4.2. Depictions of India, which do not purport to accurately represent the international boundaries as recognised by the Indian government should not be penalised. For instance, a map published in a newspaper article about India’s border disputes that shows the incorrect claims that the Chinese government has made over Indian territory would also be penalised as “wrong or false topographic information of India”, since there is a clear intention to depict the boundary as claimed by China. Criminalising such journalism cannot be the legitimate intent of such a provision.

3.4.3. There are numerous instances which have been willfully depicting inaccurate and inauthentic maps of India with international borders for political ends. For instance, there are often depictions of India which show territories within present day Pakistan, Bangladesh, Bhutan, Nepal and Sri Lanka as part of an “Akhand Bharat.” Depictions of this sort should not be penalised. In doing so, would contradict the freedom of expression guaranteed under Article 19(1)(a) without being a reasonable restriction under Article 19(2).

3.4.4. Even depictions of India for purposes of speculative fiction would be penalised under this proposed bill unless they depict the official borders. This is clearly undesirable and would not be allowed as a reasonable restriction under Article 19(2).

*3.4.5.* Even geography students in schools and colleges who mis-draw the official map of India would be liable to penalties under the draft bill. This plainly, cannot be the intention of the drafters of this bill. The creator of a rough and inaccurate tourist map of an Indian city can also be identified as committing a criminal act under the proposed bill as she would be depicting “… wrong or false topographic information of India …”

3.4.6. In brief: Merely depicting, disseminating, publishing or distributing any “wrong or false topographic information of India” should not be penalised. unless a person publishes and widely circulates an incorrect map of India while claiming that that represents the official international boundaries of India, such should not be penalised.

3.4.7. CIS recommends that the bill should instead state: “No person shall depict, disseminate, publish, or distribute any topographic information purporting to accurately depict the international boundaries of India as recognised by the Survey of India unless he is authorised to do so by the Surveyor General of India; provided that usage by any person of the international boundaries as is electronically and in print made available by the Survey of India shall deemed to be usage that is authorised by the Surveyor General of India.”

3.5. Absence of Publicly Available and Openly Reusable Standardised National Boundary of India

3.5.1. Given the lack of an reusable versions of maps of India, including of India’s official boundary as recognised by the Survey of India, it becomes impossible for people to accurately depict the boundary of India. We recommend that the bill requires the Survey of India to publish all “Open Series Maps,”as defined in the National Mapping Policy, 2005, including maps depicting the official international and subnational political and administrative boundaries of India, using open geospatial standards and under an open licence allowing such geospatial data to be used by citizens and all companies.

3.6. Remove Requirement for Prior License for Acquire, Dissemination, Publication, or Distribution of Geospatial Information

3.6.1. Section 9 of the draft bill refers to “any person who wants to acquire, disseminate, publish, or distribute any geospatial information of India” (emphasis added), which can be interpreted as the need for a prior license before any person decides to acquire (including creation, collection, generation, and buying) geospatial information. This creates at least two problems:

• modern digital geospatial technologies have enabled everyday digital devices (like smartphones) to instantaneously acquire, disseminate, publish, and distribute geospatial information all the time when the person holding that device is looking at online digital maps, say Google Maps, or sharing location with their friends, online platforms and services and service providers (both local and foreign); and

• the requirement of prior license involves payment of a “requisite fees” to the Security Vetting Authority, which may act as an arbitrary (since the fee might be based upon the volume of geospatial information to be acquired that one may not know fully determine before acquiring) and effective barrier to acquiring, dissemination, publication, or distribution of geospatial information even if it does not violate the concerns of “security, sovereignty, and integrity” in any manner. This requirement also impedes competition in the market, because new entrants to the geospatial industry may not have enough upfront capital to procure licenses.

3.6.2. Further, the requirement of necessary prior license for acquiring geospatial information does not seem to be a crucial component of the security vetting process, since the geospatial information, once acquired by the agency concerned, is in any case directed to be shared with the Security Vetting Authority for undertaking necessary expunging of sensitive or incorrect information.

3.6.3. We recommend revision of this section so that no prior license and/or permission is required for collection, acquiring, distribution, and/or use of geospatial information; instead, a framework may be established for monitoring of published geospatial information for purposes of ensuring geospatial information pertaining to “Prohibited Places,” as defined under the Official Secrets Act, is not made available to the general public by any person or entity under Indian jurisdiction, including, for instance, Indian subsidiaries and branches of foreign corporations.. Such a framework must not address the end-user of such geospatial information, but its publishers.

3.7. Unenforceable jurisdictional scope

3.7.1. Section 5 of the draft bill states “[s]ave as otherwise provided in any international convention, treaty or agreement of which India is signatory or as provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall, in any manner, make use of, disseminate, publish or distribute any geospatial information of India, outside India, without prior permission from the Security Vetting Authority.”

3.7.2. In compliance with this section, domestic and foreign companies and platforms will be required to obtain permission from the Security Vetting Authority of India prior to publishing, distributing etc. geospatial information. Similarly in the preliminary, the draft bill holds in person who commits an offence beyond India under the scope of the bill. The bill is thus proposing extraterritorial applicability of its provisions, yet the extent and method of enforcement of the same on other jurisdictions are kept unclear.

3.8. Negative implications for rights of citizens

3.8.1. There are a number of sections in the draft bill which have negative implications for the rights of all users and potentially impinge on the constitutional rights of Indian citizens. These include:

a. Section 18(2) which empowers the Enforcement Authority to conduct a search without a judicial search order;

b. Section 17(3) which empowers the Enforcement Authority to conduct undefined surveillance and monitoring to enforce the Act;

c. Chapter (V) which penalises individuals with Rs. 1-100 Crores and/or seven years in prison for an offence under the act;

d. Section 22 which allows the government to take ownership of a person’s land if a financial penalty has not been paid;

e. Section 30(1) which holds, in the case of the offense being committed by a company, every person in charge of and responsible for the conduct of business of the company, guilty and liable.

3.9. Overly broad powers and responsibilities of the Apex Committee and Enforcement Authority, and lack of adequate oversight

3.9.1. Section 7(2) states that “[t]he Apex Committee shall do all such acts and deeds that may be necessary or otherwise desirable to achieve the objectives of the Act, including the following functions:...” The wording in this section is broad and open ended, and allows for the responsibilities of the Apex Committee to be expanded without clear oversight of such expansion.

3.9.2. Similarly, section 17 established an “Enforcement Authority” for the purpose of carrying out surveillance and monitoring for enforcement of the draft bill. The Authority has been given a number of powers including the power of inquiry, the power to adjudicate, and the power to give directions. These powers have direct implications on the rights of individuals, yet the Authority is not subject to oversight or accountability requirements.

3.9.3. We recommend that the powers and responsibilities of the Apex Committee and Enforcement Authority are narrowly defined in the draft bill itself, limited by the principle of necessity, and subject to independent oversight and accountability requirements.

3.10. Remove the Security Vetting Authority’s power of delegation

3.10.1. Section 8(3) allows the Security Vetting Authority to delegate to any constituent member of the Authority, other subordinate committee, or officer powers and functions as it may deem necessary except the power to grant a licence. In practice, this will allow security vetting to be done by another institution and risks potential involvement of private agencies and/or quasi-governmental bodies.

3.10.2. We recommend that the power of delegation should not be granted to the Security Vetting Authority.

3.11. Negative implications for innovation and India’s digital economy

3.11.1. Section 3 of the draft bill states “[s]ave as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geospatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”. This effectively ensures that each and every user of geospatial data, products, services, and solutions — since all of these either include or are derivatives of geospatial information — would require prior permission from the Security Vetting Authority. This will substantially affect the existing and emerging digital economy in particular, and the entire economy in general.

3.11.2. Further, Section 9 of the draft bill mandates that any person submitting an application for geospatial information to be vetted must pay a fee. As the provisions of the bill mandate that users approach the Security Vetting Authority for license to use geospatial information, this will impose an immense burden on all users of digital devices in and outside of India. CIS submits that imposition of this fee for security vetting be removed.

3.12. Disproportionate penalty for acquisition of geospatial information

3.12.1. Section 12 states that “[p]enalty for illegal acquisition of geospatial information of India.- Whoever acquires any geospatial information of India in contravention of section 3, shall be punished with a fine ranging from Rupees one crore to Rupees one hundred crore and/or imprisonment for a period upto seven years.” Seven years in prison is disproportionate to the offense of acquiring geospatial information without vetting by the authority concerned. This is particularly true given the broad and all-encompassing definition of “geospatial information” in the draft bill, and the fact that the bill applies to individuals and companies both within and outside of India.

3.13. Improper and inconsistent usage of terms in the draft bill

3.13.1. Section 4 of the draft bill regulates the visualization, publication, dissemination and distribution of geospatial information of India, while section 5 regulates use, dissemination, publication, and distribution of geospatial information outside of India. The definition of “visualization” remains unclear, and the act is only regulated in section 4. The section 6 of the draft bill uses the term ‘depict’, which is undefined as well. We submit that in this context terms are interchangeable, and the draft bill should either define them expressly to avoid ambiguity in interpretations, or consistently use only one throughout the draft bill.

3.13.2. Section 11 (3) of the draft bill requires licensees to “[d]isplay the insignia of the clearance of the Security Vetting Authority on the security-vetted geospatial information by appropriate means such as water-marking or licence as relevant, while disseminating or distributing of such geospatial information.” We observe that geospatial information includes graphical representation, location coordinates, inter alia. While the former may be represented visually on an “as is” basis after the completion of the vetting, the latter may be used to perform other complex functions at the “back-end” (i.e., vendor-facing side) in various technologies. Water-marking and/or displaying of insignia would place undue burden on the licensee, depending on the kind of platform, service, or individual.

3.14. Lack of reference to technical implementation guidance

3.14.1. The regulation, harmonisation, and standardisation of the collection, generation, dissemination etc. of geospatial information is a complex process that goes beyond a process of security vetting and that will require extensive technical implementation guidance from the government. At a minimum this could include quality assurance considerations and standard operating procedures, yet the draft bill makes no reference to the need for technical standards or guidance.

Comments prepared by Sumandro Chattapadhyay, Adya Garg, Pranesh Prakash, Anubha Sinha, and Elonnai Hickok. Submitted by the Centre for Internet and Society, on June 3, 2016.

Download the brief: PDF.

Introduction

Smart City as a concept is evolutionary in nature, and the key elements like Information and Communication Technology (ICT), digitization of services, Internet of Things (IoT), open data, big data, social innovation, knowledge, etc., would be intrinsic to defining a Smart City [1].

A Smart City, as a “system of systems”, can potentially generate vast amounts of data, especially as cities install more sensors, gain access to data from sources such as mobile devices, and government and other agencies make more data accessible. Consequently, Big Data techniques and concepts are highly relevant to the future of Smart Cities. It was noted by Kenneth Cukier, Senior Editor of Digital Products at The Economist, that Big Data techniques can be used to enhance a number of processes essential to cities - for example, big data can be used to spot business trends, determine quality of research, prevent diseases, tack legal citations, combat crime, and determine real-time roadway traffic conditions [2]. Having said this, data is deemed to be the lifeblood of a Smart City and its availability, use, cost, quality, analysis, associated business models and governance are all areas of interest for a range of actors within a smart city [3]

This blog reviews five Smart Cities namely Singapore, Dubai, New York City, London and Seoul. In doing so, the research seeks to point the similarities, differences and best practices in the development of smart cities across jurisdictions. To achieve this, the research reviews:

• The definition of a Smart City in a given context or project (if any).
• Existing policy/regulations around data or notes the lack thereof.
• The cities adherence to the International standards and providing an update on the current status of the Smart City programme.

Singapore

Introduction

The Smart Nation programme in Singapore was launched on 24th November, 2014. The programme is being driven by the Infocomm Development Authority of Singapore, through which Singapore seeks to harness ICT, networks and data to support improved livelihoods, stronger communities and creation of new opportunities for its residents [4] According to the IDA, a Smart Nation is a city where “people and businesses are empowered through increased access to data, more participatory through the contribution of innovative ideas and solutions, and a more anticipatory government that utilises technology to better serve citizens’ needs” [5]. The Smart Nation programme is driven by a designated Office in the Prime Minister’s Office [6]. As a core component to the Smart Nation Programme, the Smart Nation Platform has been developed as the technical architecture to support the Programme. This Platform enables greater pervasive connectivity, better situational awareness through data collection, and efficient sharing and access to collected sensor data, allowing public bodies to use such data to develop policy and practical interventions [7] Such access would allow for anticipatory governance - a goal of the Smart Nation Programme as noted by Dr. Yaacob Ibrahim, Minister for Communications and Information stating “Insights gained from this data would enable us to better anticipate citizens’ needs and help in better delivery of services” [8].

Status of the Project

• Development of Mobile Apps to facilitate communication between the public and the providers of public services.
• Organization of Hackathons by government agencies or corporations in collaboration with schools and industry partners to ideate and develop solutions to tackle real-world challenges.
• Adopt measure for smart mobility to create a more seamless transport experience and providing greater access to real-time transport information so that citizens can better plan their journeys.
• Smart technologies are also being introduced to the housing estates [10].

Policies and Regulations

The Smart Nation plan derives its legitimacy from the constitution of Singapore, holding the Prime Minister responsible to take charge of the subject ‘Smart Nation’ blueprint under the Statutory body of ‘Smart Nation’ Programme Office [11]. Singapore has a comprehensive data protection law – the Personal Data Protection Act 2012, rules governing the collection, use, disclosure and care of personal data. The Personal Data Protection Commission of Singapore has committed to work closely with the private sector, and also to support the Smart Nation vision on data privacy and cyber security ecosystem [12] [13].

Towards achieving the Smart Nation vision the government has also promoted the use of open data. In 2015 the Department of Statistics has made a vast amount of data available (across multiple themes say transport, infocomm, population, etc.) for free to the public in order to encourage innovation and facilitate the Smart Nation [14]. Prior to this initiative, the government had adopted the Open Data Policy in 2011, enabling public data for analysis, research and application development [15]. The concept of Virtual Singapore, which is a part of the Smart Nation Initiative, has been developed to adopt and simulate solutions on a virtual platform using big data analytics [16].

Adoption of International Standards

The Smart Nation initiative follows the standards laid under the purview of the Singapore Standards Council (SSC). It specifies three types of Internet of Things (IoT) Standards – sensor network standards (TR38 - for public areas & TR40 - for homes), IoT foundational standards (common set of guidelines for IoT requirements and architecture, information and service interoperability, security and data integrity) and domain-specific standards (healthcare, mobility, urban living, etc.) [17].

Singapore is part of ISO/IEC JTC 1/WG7 Sensor Networks and ISO/IEC JTC 1/WG10 Internet of Things (IoT) [18]. Singapore IT standards abides to the international standards as defined by ISO, ITU, etc.Singapore is a member of many international standards forums (see Singapore International Standards Committee) which includes JTC1/WG9 - Big Data; JTC1/WG10 - Internet of Things; JTC1/WG11 - Smart Cities.

Dubai, United Arab Emirates

Introduction

The Dubai Smart City strategy was launched as part of the Dubai Plan 2021 vision, in the year 2015 [19]. Dubai Plan 2021 describes the future of Dubai evolving through holistic and complementary perspectives, starting with the people and the society and places the government as the custodian of the city’s development. Within the Plan, the smart city theme envisions a platform that is fully connected and integrated infrastructure that enables easy mobility for all residents and tourists, and provides easy access to all economic centers and social services, in line with the world’s best cities [20]. Center to the smart city platform is data and data analytics, particularly cross functional data and big data techniques to give a complete view of the city [21] As envisioned, the Dubai Data portal would provide a gateway to empower relevant stakeholders to understand the nuances of the city and pursue questions that will result in the greatest impact from the city’s data [22]. The platform will be based on current data and existing services, initiatives, and networks to identify opportunities for a smart city [23]. The Smart City Plan also includes a framework for aligning districts of Dubai with the Smart City vision and dimensions [24].

The Smart Dubai roadmap 2015 provides a consolidated report and planned smart city services, its status and the stage of its implementation, for e.g. Smart Grid, Mobile Payment, Smart Water, Health applications, Public Wi-Fi, Municipality, E-Traffic solutions, etc [25].

Status of the Project

The Smart Dubai strategy is envisioned to be completed by the year 2020, and currently it’s ongoing. The first phase of Smart Dubai masterplan is expected to end by 2016. Between 2017 and 2019, the plan aims to deliver new initiatives and services. The second phase of the masterplan is expected to be completed by the year 2020 [26].

Policies and Regulations

The Smart City Plan is being driven by the Dubai Smart City Office – which has been established under Law No. (29) of 2015 on the establishment of Dubai Smart City Office; Law No. (30) of 2015 on the establishment of Dubai Smart City Establishment; Decree No. (37) of 2015 on the formation of the Board of the Dubai Smart City Office; and Decree No (38) of 2015- appointing a Director General for the Office, which will develop overall policies and strategic plans, supervise the smart transformation process and approve joint initiatives, projects and services [27]. Also, an open data law called Dubai Open Data Law was issued to complete the legislative framework for transforming Dubai into a Smart City [28]. This law will enable the sharing of non-confidential data between public entities and other stakeholders.

Adoption of International Standards

In 2015 the Smart Dubai Executive Committee has collaborated through an agreement with the International Telecommunications Union (ITU) adopt the performance indicators by the ITU Focus Group on Smart Sustainable Cities to evaluate the feasibility of the indicators [29]. The Focus Group is working towards identifying global best practices for the development of smart cities [30].

New York City, United States of America

Introduction

The ‘One New York Plan’ announced in the year 2015 is a comprehensive plan for a sustainable and resilient city. It includes the adoption of digital technology and considers the importance of the role of data in transforming every aspect of the economy, communications, politics, and individual and family life [31]. Furthermore, through a publication on 'Building a Smart+Equitable City', the Mayor’s Office of Technology and Innovation (MOTI) describes efforts to leverage new technologies to build Smart city.

Accordingly, the plan seeks to establish better lives through establishing principles and strategic frameworks to guide connected device and Internet of Things (IoT) implementation; MOTI serving as the coordinating entity for new technology and IoT deployments across all City agencies; collaborating with academia and the private sector on innovative pilot projects, and partnering with municipal governments and organizations around the world to share best practices and leverage the impact of technological advancements [32].

Status of the Project

OneNYC represents a unified vision for a sustainable, resilient, and equitable city developed with cross-cutting interagency collaboration, public engagement, and consultation with leading experts in their respective fields. The Mayor’s Office of Sustainability oversees the development of OneNYC and now shares responsibility with the Mayor’s Office of Recovery and Resiliency for ensuring its implementation [33].

Policies and Regulations

As per the Local Law 11 of 2012, each City entity must identify and ultimately publish all of its digital public data for citywide aggregation and publication by 2018. In adherence to this law, there exists a NYC Open Data Plan which requires annual data updation [34].

The LinkNYC initiative, one of the key projects to make New York a ‘smart’ city, aims to connect everyone through a city wide wi-fi network. The LinkNYC initiative will retrofit payphones with kiosks to provide high-speed WiFi hotspots and charging stations for increased connectivity [35]. Data Privacy in the initiative is addressed through the customer first privacy policy, which considers user’s privacy on priority and will not sell any personal information or share with third parties for their own use. LinkNYC will use anonymized, aggregate data to make the system more efficient and to develop insights to improve your Link experience [36].

Adoption of International Standards

The ANSI Network on Smart and Sustainable Cities (ANSSC) is a forum for information sharing and coordination on voluntary standards, conformity assessment and related activities for smart and sustainable cities in the US [37]. The US is a signatory of the ISO/ITU defined standards on smart cities [38].

London, United Kingdom

Introduction

The Smart London Plan was unveiled in the year 2013 by the Mayor of London. The plan is being driven through the Greater London Authority, with the advice of the Smart London Board. The Smart London Plan envisions ‘Using the creative power of new technologies to serve London and improve Londoner’s lives’ [39]. ‘Smart London’ is about harnessing new technology and data so that businesses, Londoners and visitors experience the city in a better way, and do not face bureaucratic hassle and congestion. Smart London seeks to improve the city as a whole and focuses on city macro functions that result from the interplay between city subsystems - such as local labour markets to financial markets, from local government to education, healthcare, transportation and utilities. According to strategy documents, a smarter London recognises and employs data as a service and will leverage data to enable informed decision making and the design of new activities.

Status of the Project

This project is currently ongoing. Since its formation in March 2013, the Smart London Board has been advising the Greater London Authority.The Plan sits within the overarching framework of the Mayor’s Vision 2020 [40].

Policies and Regulations

The Smart London Plan incorporates the existing open data platform called ‘London DataStore’. The rules and guidelines for this platform are defined by the Greater London Authority, which includes working with public and private sector organisations to create, maintain and utilise it, enabling common data standards, identify and prioritise which data are needed to address London’s growth challenges, establish a Smart London Borough Partnership to encourage boroughs to free up London’s local level data. Also, privacy is protected and there is transparent use of data - to ensure data use is managed in the best interests of the public rather than private enterprise.⁴² The Smart London Plan aims to build on this existing datastore to identify and publish data that addresses specific growth challenges, with an emphasis on working with companies and communities to create, maintain, and use this data [41].

The Open Data White Paper, issued by the Office of Paymaster General, seeks to build a transparent society by releasing public data through open data platforms and leveraging the potential of emerging technologies [42]. The Greater London Authority processes personal data in accordance with the Data Protection Act 1998 [43].

Adoption of International Standards

The British Standards Institution (BSI) has already established Smart City standards and has associated with the ISO Advisory Group on smart city standards. The UK subscribes to the BSI standards for smart cities and has adopted the same [44]. The following standards and publications help address various issues for a city to become a smart city:

• The development of a standard on Smart city terminology (PAS 180)
• The development of a Smart city framework standard (PAS 181)
• The development of a Data concept model for smart cities (PAS 182)
• A Smart city overview document (PD 8100)
• A Smart city planning guidelines document (PD 8101)
• BS 8904 Guidance for community sustainable development provides a decision-making framework that will help setting objectives in response to the needs and aspirations of city stakeholders
• BS 11000 Collaborative relationship management
• BSI BIP 2228:2013 Inclusive urban design - A guide to creating accessible public spaces.

Further, the Smart London Plan incorporates open data standards in accordance with London DataStore [45]. Various government reports – Smart Cities background paper, Open Data White Paper, etc., have suggested the use of standards related to Internet of Things (IoT), open data standards, etc [46].

Seoul, Korea

Introduction

Smart Seoul 2015 was announced in June 2011 by the Seoul Metropolitan Government, which envisions integrating IT services into every field, including administration, welfare, industry and living. Through this, the Seoul Metropolitan Government plans to create a Seoul that uses smart technologies by 2015 [47]. Towards this, the Seoul Metropolitan Government plans to make use of Big Data in policy development, and through scientific analytics, will provide customized administrative services and reduce wasteful spending. Also, the government is utilising Big Data to analyse trends emerging from existing services [48]. Examples of projects that leverage big data that the government has undertaken include the Taxi Matchmaking Project – analyzes the data related to taxi stands and passengers, the Owl Bus [49] - maps the bus routes, etc.

Status of the Project

Building on the Smart Seoul 2015, the Seoul Metropolitan Government plans to establish 'Global Digital Seoul 2020 – New Connections, Different Experiences' vision in next five-years. In this multi-objective plan, it aims to establish a ’Big Data campus’ providing win-win cooperation among public, private, industry and university [50].

Policies and Regulations

The Smart Seoul 2015 aims to create a ‘Seoul Data Mart’, which will be an open platform that makes public information available for data processing [51]. Furthermore, Seoul has opened the Seoul Open Data Plaza [52], an online channel to share and provide citizens with all of Seoul’s public data, such as real-time bus operation schedules, subway schedules, non-smoking areas, locations of public Wi-Fi services, shoeshine shops, and facilities for disabled people, and the information registered in Seoul Open Data Plaza is provided in the open API format.⁴⁵

South Korea has a comprehensive law governing data privacy – Personal Information Protection Act, 2011. The law includes data protection rules and principles, including obligations on the data controller and the consent of data subjects, rights to access personal data or object to its collection, and security requirements. It also covers cookies and spam, data processing by third parties and the international transfer of data [53].

International Standards

The smart city standards are adopted in the development of smart cities in Korea [54]. Korea has adopted the ISO/TC 268, which is focused on sustainable development in communities. Korea also has one working group developing city indicators and another working group developing metrics for smart community infrastructures [55].

Conclusion

The smart city projects studied are at different levels of implementation and have both similarities and differences. Below is an analysis of some of the key similarities and differences between smart city projects, a comparison of these points to India’s 100 Smart City Mission, and a summary of best practices around the development of smart city frameworks.

Nodal Agency

All cities studied have nodal agencies driving the smart city initiatives and many have policies in place backing these initiatives. For example, while the Smart Nation programme in Singapore is being driven by the Infocomm Development Authority, in London the smart city project is governed by the Great London Authority. The Smart Seoul Project in Korea is governed by the Seoul Metropolitan Government and New York has the Mayor’s Office of Technology and Innovation serving as the coordinating entity for new technology and IoT deployments across all City agencies. In India, the nodal agency driving the 100 Smart Cities Project is the Ministry of Urban Development under the Indian Government. In India, the implementation of the Mission at the City level will be done by a Special Purpose Vehicle (SPV), which will be a limited company and will plan, appraise, approve, release funds, implement, manage, operate, monitor and evaluate the Smart City development projects.

Policies

Many of the cities had open data policies and data protection policies that pertain to the Smart City initiatives. In Dubai, an open data law called Dubai Open Data Law has been issued to complete the legislative framework for transforming Dubai into a Smart City and the Smart City Establishment will develop policies for the project. New York also has an Open Data Plan in place and LinkNYC will use anonymized, aggregate data to address data privacy of users. In London, the Smart London Plan incorporates the existing open data platform called ‘London DataStore’, the rules for which are defined by the Greater London Authority, which also ensures privacy and transparent use of data by processing personal data in accordance with the Data Protection Act 1998. For regulation of data in Seoul, a ‘Seoul Data Mart’ will be established to make public information available for data processing and the Seoul Open Data Plaza is an existing online channel to share and provide citizens with all of Seoul’s public data. South Korea has a comprehensive law governing data privacy in place as well. In Singapore, the Personal Data Protection Commission has committed to work and support the Smart Nation vision on data privacy and cyber security ecosystem. To achieve the vision of the project, the government has also promoted the use of open data. It can be said the these countries , with clearly laid out policies to support and guide the project, have well planned ecosystem for regulation and governance of systems, technologies and cities. All cities have incorporated open data into smart cities and many have developed guidelines for its use. All cities have similar goals of enhancing the lives of citizens and developing anticipatory regulation, however, there appears to be little discussion on the need to amend existing law or enable new law around privacy and data protection in light of data collection through smart cities. In India, no enabling legislation or policy has been formulated by the Government, apart from releasing “Mission Statement and Guidelines”, which provides details about the Project and vision, excluding a definition of a ‘smart city’ or the relevant applicable laws and policies. No information is publicly available regarding deployment of open data, use of specific technologies like cloud, big data, etc., the relevant policies and applicability of laws. Unlike India, all cities recognize the importance of big data techniques in enabling smart city visions, technology and policies. On the lines of these cities, India must work towards addressing the need for an open data framework in light of the 100 Smart Cities Mission to enable the sharing of non-confidential data between public entities and other stakeholders. This requires co-ordination to incorporate, enable and draw upon open data architecture in the cities by the Government with the existing open data framework in India, like the National Data Sharing and Accessibility Policy, 2012. Use of technology in the form of IoT and Big Data entails access to open data, bringing another policy area in its ambit which needs consideration. Also, identification and development of open standards for IoT must be looked at. Also, as data in smart cities will be generated, collected, used, and shared by both the public and private sector. It is essential that India’s existing data protection standards and regime must be amended to extend the data regulation beyond a body corporate and oversee the collection and use of data by the Government, and its agencies.

Standards

In Singapore, the Smart Nation initiative follows the standards laid under the purview of the Singapore Standards Council (SSC)and the Singapore IT standards abides to the international standards as defined by ISO, ITU, etc. The Country is also a member of many international standards forums (see Singapore International Standards Committee) which includes JTC1/WG9- Big Data; JTC1/WG10 - Internet of Things; JTC1/WG11 - Smart Cities. In Dubai, the Smart Dubai Executive Committee with the International Telecommunications Union (ITU) to adopt the performance indicators by the ITU Focus Group on Smart Sustainable Cities to evaluate the feasibility of the indicators. For the purpose of standards, the ANSI Network on Smart and Sustainable Cities (ANSSC) in New York is a forum smart and sustainable cities, along with US being a signatory of the ISO/ITU defined standards on smart cities. Also, The British Standards Institution (BSI) has already established Smart City standards and has associated with the ISO Advisory Group on smart city standards. The UK subscribes to the BSI standards for smart cities and has adopted the same and the Smart London Plan incorporates open data standards in accordance with London DataStore. For development of smart cities, Korea has adopted the ISO/TC 268, which is focused on sustainable development in communities and also has one working group developing city indicators and another working group developing metrics for smart community infrastructures. However, in India, the Bureau of Indian Standards (BIS) has undertaken the task to formulate standardised guidelines for central and state authorities in planning, design and construction of smart cities by setting up a technical committee under the Civil engineering department of the Bureau. However, adoption of the standards by implementing agencies would be voluntary and intends to complement internationally available documents in this area. Also, The Global Cities Institute (GCI) has undertaken a mission in the year 2015 to align with the Bureau of Indian Standards regarding development of standards of smart cities and also to forge relationships with Indian cities in light of ISO 37120. It can be said that India has currently not yet adopted international standards, but is in the process of developing national standards and adopting key international standards. Unlike other cities,which are adopting standards - national, ISO, or ITU, Indian cities are yet to adopt standards for regulation of the future smart cities.

Notes for India

India is in the nascent stages of developing smart cities across the country. Drawing from the practices adopted by cities across the world, smart cities in India should adopt strong regulatory and governance frameworks regarding technical standards, open data and data security and data protection policies. These policies will be essential in ensuring the sustainability and efficiency of smart cities while safeguarding individual rights. Some of these policies are already in place - such as India’s Open Data Policy and India’s data protection standards under section 43A of the ITA. It will be important to see how these policies are adopted and applied to the context of smart cities.

References

[1] Smart Cities and Transparent Evolution, http://www.posterheroes.org/Posterheroes3/_mat/PH3_eng.pdf.

[2] "Data, Data Everywhere." The Economist, February 25, 2010. Accessed March 17, 2016, http://www.economist.com/node/15557443.

[3] "Smart Cities." ISO. 2015. Accessed March 17, 2016, http://www.iso.org/iso/smart_cities_report-jtc1.pdf.

[4] Transcript of Prime Minister Lee Hsien Loong's speech at Smart Nation launch on 24 November, http://www.pmo.gov.sg/mediacentre/transcript-prime-minister-lee-hsien-loongs-speech-smart-nation-launch-24-november.

[5] Smart Nation Vision, https://www.ida.gov.sg/Tech-Scene-News/Smart-Nation-Vision.

[6] Smart Nation, http://www.pmo.gov.sg/smartnation.

[7] Smart Nation Platform, https://www.ida.gov.sg/~/media/Files/About%20Us/Newsroom/Media%20Releases/2014/0617_smartnation/AnnexA_sn.pdf.

[8] Transcript of Prime Minister Lee Hsien Loong's speech at Smart Nation launch on 24 November, https://www.ida.gov.sg/blog/insg/featured/singapore-lays-groundwork-to-be-worlds-first-smart-nation/.

[9] Prime Ministers’ Office Singapore-Smart Nation, http://www.pmo.gov.sg/smartnation.

[10] Prime Ministers’ Office Singapore-Smart Nation, http://www.pmo.gov.sg/smartnation.

[11] Constitution of the Republic of Singapore (Responsibility of the Prime Minister) Notification 2015, http://statutes.agc.gov.sg/aol/search/display/view.w3p;page=0;query=Status%3Acurinforce%20Type%3Aact,sl%20Content%3A%22smart%22;rec=4;resUrl=http%3A%2F%2Fstatutes.agc.gov.sg%2Faol%2Fsearch%2Fsummary%2Fresults.w3p%3Bquery%3DStatus%253Acurinforce%2520Type%253Aact,sl%2520Content%253A%2522smart%2522;whole=yes.

[12] Personal Data Protection Singapore-Annual Report 2014-15, https://www.pdpc.gov.sg/docs/default-source/Reports/pdpc-ar-fy14---online.pdf.

[13] Balancing Innovation and Personal Data Protection, https://www.ida.gov.sg/Tech-Scene-News/Tech-News/Digital-Government/2015/9/Balancing-innovation-and-personal-data-protection.

[14] Department of Statistics Singapore- Free Access to More Data on the SingStat Website from 1 March 2015, http://www.singstat.gov.sg/docs/default-source/default-document-library/news/press_releases/press27022015.pdf.

[15] Singapore Marks 50th Birthday With Open Data Contest, https://blog.hootsuite.com/singapore-open-data/.

[16] Virtual Singapore - a 3D city model platform for knowledge sharing and community collaboration, http://www.sla.gov.sg/News/tabid/142/articleid/572/category/Press%20Releases/parentId/97/year/2014/Default.aspx.

[17] Internet of Things (IoT) Standards Outline to Support Smart Nation Initiative Unveiled, http://www.spring.gov.sg/NewsEvents/PR/Pages/Internet-of-Things-(IoT)-Standards-Outline-to-Support-Smart-Nation-Initiative-Unveiled-20150812.aspx.

[18] Information Technology Standards Committee, https://www.itsc.org.sg/technical-committees/internet-of-things-technical-committee-iottc and https://www.ida.gov.sg/~/media/Files/Infocomm%20Landscape/iN2015/Reports/realisingthevisionin2015.pdf.

[19] Government of Dubai-2021 Dubai Plan-Purpose, http://www.dubaiplan2021.ae/the-purpose/.

[20] Government of Dubai-2021 Dubai Plan, http://www.dubaiplan2021.ae/dubai-plan-2021/.

[21] Smart Dubai, http://www.smartdubai.ae/foundation_layers.php.

[22] The Internet of Things: Connections for People’s happiness, http://www.smartdubai.ae/story021002.php.

[23] Smart Dubai - Current State, http://www.smartdubai.ae/current_state.php.

[24] Smart Dubai - District Guidelines, http://smartdubai.ae/districtguidelines/Smart_Dubai_District_Guidelines_Public_Brief.pdf.

[25] See; http://roadmap.smartdubai.ae/search-services-public.php and http://roadmap.smartdubai.ae/search-initiatives-public.php.

[26] Smart Dubai-Smart District Guidelines, http://smartdubai.ae/districtguidelines/Smart_Dubai_District_Guidelines_Public_Brief.pdf.

[27] Dubai Ruler issues new laws to further enhance the organisational structure and legal framework of Dubai Smart City, https://www.wam.ae/en/news/emirates/1395288828473.html.

[28] See: http://slc.dubai.gov.ae/en/AboutDepartment/News/Lists/NewsCentre/DispForm.aspx?ID=147&ContentTypeId=0x01001D47EB13C23E544893300E8367A23439 and http://www.smartdubai.ae/dubai_data.php.

[29] Dubai first city to trial ITU key performance indicators for smart sustainable cities, http://www.itu.int/net/pressoffice/press_releases/2015/12.aspx#.VtaYtlt97IU.

[30] Smart Dubai Benchmark Report 2015 Executive Summary, http://smartdubai.ae/bmr2015/methodology-public.php.

[31] Building a Smart + Equitable City, http://www1.nyc.gov/assets/forward/documents/NYC-Smart-Equitable-City-Final.pdf

[32] Building a Smart + Equitable City, http://www1.nyc.gov/site/forward/innovations/smartnyc.page.

[33] One New York: The Plan for a Strong and Just City, http://www1.nyc.gov/html/onenyc/about.html

[34] Open Data for All, http://www1.nyc.gov/assets/home/downloads/pdf/reports/2015/NYC-Open-Data-Plan-2015.pdf.

[35] 7 public projects that are turning New York into a “smart city”, http://www.builtinnyc.com/2015/11/24/7-projects-are-turning-new-york-futuristic-technology-hub.

[36] LinkNYC, https://www.link.nyc/faq.html#privacy.

[7] ANSI Network on Smart and Sustainable Cities, http://www.ansi.org/standards_activities/standards_boards_panels/anssc/overview.aspx?menuid=3

[38] IoT-Enabled Smart City Framework, http://publicaa.ansi.org/sites/apdl/Documents/News%20and%20Publications/Links%20Within%20Stories/IoT-EnabledSmartCityFrameworkWP20160213.pdf.

[39] Smart London (UK) Plan: Digital Technologies, London and Londoners, http://munkschool.utoronto.ca/ipl/files/2015/03/KleinmanM_Smart-London-UK-v5_30AP2015.pdf.

[40] Smart London Plan, http://www.london.gov.uk/sites/default/files/smart_london_plan.pdf.

[41] Smart London Plan, http://www.london.gov.uk/sites/default/files/smart_london_plan.pdf.

[42] Open Data White Paper, https://data.gov.uk/sites/default/files/Open_data_White_Paper.pdf.

[43] London Datastore-Privacy, http://data.london.gov.uk/about/privacy/.

[44] Future Cities Standards Centre in London, https://eu-smartcities.eu/commitment/5937.

[45] Smart London Plan, http://www.london.gov.uk/sites/default/files/smart_london_plan.pdf.

[46] Smart Cities background paper, October 2013, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/246019/bis-13-1209-smart-cities-background-paper-digital.pdf.

[47] Presentation of 2015 Blueprint of Seoul as ‘State-of-the-art Smart City’, http://english.seoul.go.kr/presentation-of-2015-blueprint-of-seoul-as-%E2%80%98state-of-the-art-smart-city%E2%80%99/.

[48] “Policy Where There is Demand,” Seoul Utilizes Big Data, http://english.seoul.go.kr/policy-demand-seoul-utilizes-big-data/

[49] Seoul’s “Owl Bus” Based on Big Data Technology, http://www.citiesalliance.org/sites/citiesalliance.org/files/Seoul-Owl-Bus-11052014.pdf

[50] Seoul Launches “Global Digital Seoul 2020”, http://english.seoul.go.kr/seoul-launches-global-digital-seoul-2020/

[51] Smart Seoul 2015, http://english.seoul.go.kr/wp-content/uploads/2014/02/SMART_SEOUL_2015_41.pdf

[52] Disclosing public data through the Seoul Open Data Plaza, http://english.seoul.go.kr/policy-information/key-policies/informatization/seoul-open-data-plaza/

[53] Data protection in South Korea: overview, http://uk.practicallaw.com/2-579-7926.

[54]Smart Cities Seoul: a case study, https://www.itu.int/dms_pub/itu-t/oth/23/01/T23010000190001PDFE.pdf

[55] Smart Cities-ISO, http://www.iso.org/iso/livelinkgetfile-isocs?nodeid=16193764.

On April 20, 2016, DNA carried a report on a PIL seeking action against advertisements for prostitution in newspapers and on websites. That report noted that the Mumbai Police had obtained an order from a magistrates court to block 174 objectionable websites, and had sent a list to the "Group Coordinator (Cyber Laws)" within the Department of Electronics and IT. On June 13, 2016, some news agencies carried reports about the Ministry of Communications and IT having ordered ISPs to block 240 websites.

As far as we know, the Mumbai Police has not proceeded against any of the people who run these websites, whose phone numbers are available, and whose names and addresses are also available in many cases through WHOIS queries on the domain names.

Unfortunately, the government does not make available publicly the list of websites they have ordered ISPs to block. Given that knowledge of what is censored by the government is crucial in a democracy, we are publishing the entire list of blocked websites.

Those of these websites that use TLS (i.e., those with 'https'), still appear to be available on multiple Indian ISPs, and others can be accessed by using a proxy VPN from outside India or by using Tor.

Notes:

• The list circulated to ISPs has two sub-lists, numbered from 1-174 (but containing 175 entries, with a numbering mistake), and 1-64, for a total of 239 URLs.
• 4 URLs are repeated in the list ("www.salini.in/navi-mumbai-independent-escort-service.php", "exmumbai.in", "www.mansimathur.in/pinkyagarwal", "www.mumbaifunclubs.com")
• For one website, both the domain name and a specific web page within it are listed (""www.mumbaiwali.in" and "www.mumbaiwali.in/navi-mumbai-escort-service.php")
• One URL is incomplete (No. 214: "www.independentescortservicemumbai.com/mumbai%20escort%20servi..")
• There are thus 235 unique URLs, targetting 234 websites and web pages.

Full List of Blocked URLs

1. www.sterlingbioscience.com
2. rawpoint.biz
3. www.onemillionbabes.com
4. www.mumbaihotcollection.in
5. simranoberoi.in
6. rubinakapoor.biz
7. talita.biz
8. www.mumbaiescortsagency.net
9. www.mumbaifunclubs.com
10. www.alishajain.co.in
11. www.ankitatalwar.co.in
12. https://www.jennyarora.ind.in
13. www.riya-kapoor.com
14. shneha.in
15. missinimi.in
16. www.mumbaiglamour.in
17. kalyn.in
18. www.saumyagiri.co.in/city/mumbai/
19. bookerotic.com
20. www.divyamalik.in
21. www.suhanisharma.co.in
22. www.ruhi.biz
23. umbaiqueens.in
24. www.aliyaghosh.com
25. priyasen.in
26. www.highprofilemumbaiescorts.co.in
27. charmingmumbai.com
28. www.poojamehata.in
29. kiiran.in/
30. mansikher.in
31. www.newmumbaiescorts.in
32. www.mumbaifunclubs.com
33. www.punarbas.in
34. www.discreetbabes.in
35. www.alisharoy.in
36. www.arpitarai.in
37. www.nidhipatel.in
38. navimumbailescort.com
39. www.zoyaescorts.com
40. www.juhioberoi.in
41. shoniya.in
42. panchibora.in
43. rehu.in
44. www.nehaanand.com
45. www.aditiray.co.in
46. www.rakhibajaj.in
47. www.alianoidaescorts.in
48. www.sobiya.in
49. www.alishaparul.in
50. mumbai-escorts.leathercurrency.com
51. ankita-ahuja.in
52. www.yamika.in
53. mumbailescort.co
54. www.ranjika.in
55. www.aditiray.com
56. www.alinamumbailescort.in
57. www.sonikaa.com/services/
58. riyamodel.in
59. mumbai-escorts.info
60. soonam.in
61. www.sejalthakkar.com
62. www.yomika-tandon.in
63. www.asika.in
64. www.siyasharma.org/
65. www.rubikamathur.in
66. www.mumbaiescortslady.com
67. www.sexyshe.in
68. www.indepandentescorts.com
69. www.saanvichopra.co.in
70. www.goswamipatel.in
71. ojaloberoi.in
72. www.naincy.in
73. www.sonyamehra.com
74. www.pinkgrapes.in
75. anjalitomar.in/
76. www.nishakohli.com/
77. sagentia.co.in
78. mumbai.vivastreet.co.in/escort+mumbai
79. www.deseescortgirls.in
80. guides.wonobo.com/mumbai/mumbai-escorts-service/.4299
81. jasmineescorts.com
82. www.shalinisethi.com
83. www.highclassmumbailescort.com
84. www.vipescortsinmumbai.com
85. www.mumbaiescorts69.co.in
86. monikabas.co.in
87. www.riyasehgal.com
88. onlycelebrity.in
89. www.greatmumbaiescorts.com/escort-service-mumbai.html
90. www.aishamumbailescort.com
91. www.jennydsouzaescort.com
92. www.desifun.in
93. www.siyaescort.co.in
94. masti—escort.in
95. www.sofya.in
96. www.mumbaiwali.in/navi-mumbai-escort-service.php
97. www.mumbaiwali.in
98. www.calldaina.com
99. www.mumbaiescortsservice.co.in
100. www.escortsgirlsinmumbai.com
101. www.passionmumbai.escorts.com
102. www.nehakapoor.in
103. meerakapoor.com
104. www.dianamumbaiescorts.net .in
105. www.allmumbailescort.in
106. www.rakhiarora.in
107. www.ritikasingh.com
108. www.rekhapatil.com
109. www.mumbaidolls.com
110. www.piapandey.com
111. www.mumbaicuteescorts.in
112. www.mumbaiescortssevice.com
113. www.onlycelebrity.com
114. www.meetescortservice.com
115. onlyoneescorts.com
116. simirai.org
117. www.riyamumbaiescorts.in
118. www.neharana.in
119. www.tanyaroy.com
120. www.mumbaihiprofilegirls.in
121. www.sexyescortsmumbai.in
122. www.sexymumbai.escorts.com
123. www.four-seasons—escort.in
124. www.mumbaiescortsgirl.com
125. www.vdreamescorts.com
126. www.passionatemumbaiescorts.in
127. www.payalmalhotra.in
128. www.shrutisinha.com
129. www.juliemumbaiescorts.com
130. www.indiasexservices.com/mumbai.html
131. www.mumbai-escorts.co.in
132. www.aliyamumbaiescorts.net.in
133. shivaniarora.co.in/escort–service-mumbai.html
134. www.pinkisingh.com
135. soyam.in
136. www.arpitaray.com
137. www.localescorts.in
138. www.jennifermumbaiescorts.com
139. www.yanaroy.com
140. escorts18.in/mumbai—escorts.html
141. www.tinamumbaiescorts.com
142. www.mumbaijannatescorts.com
143. www.deepikaroy.com
144. www.nancy.co.in
145. www.pearlpatel.in
146. 30minsmumbaiescorts.in
147. www.datinghopes.com
148. https://www.riyaroy.com/services.html
149. www.sonalikajain.com
150. www.zainakapoor.co.in
151. kavyajain.in
152. www.kinnu.co.in
153. exmumbai.in/
154. www.mansimathur.in/pinkyagarwal
155. exmumbai.in
156. www.mansimathur.in/pinkyagarwal
157. www.devikabatra.in
158. katlin.in
159. riyaverma.in
160. escortsinindia.co/
161. www.snehamumbaiescorts.in
162. shimi.in
163. www.mumbaiescortsforu.com/about
164. www.chetnagaur.co.in/chetna-gaur.html
165. www.escortspoint.in
166. www.rupalikakkar.in
167. www.hemangisinha.co.in
168. 1escorts.in/location/mumbai.html
169. www.salini.in/navi-mumbai-independent—escort-service.php
170. www.salini.in/navi-mumbai-independent-escort-service.php
171. www.mumbaibella.in
172. mohitescortservicesmumbai.com
173. www.anchu.in
174. www.aliyaroy.co.in
175. jaanu.co.in/mumbai-escorts-service-call-girls.html
176. www.andyverma.com
177. dreams-come-true.biz
178. feel–better.biz
179. jellyroll.biz
180. dreamgirlmumbai.com
181. role-play.biz
182. mansi—mathur.com
183. www.zarinmumbaiescorts.com
184. mymumbai.escortss.com
185. www.goldentouchescorts.com
186. www.mumbaipassion.biz
187. ishitamalhotra.com
188. happy-ending.biz
189. juicylips.biz
190. www.escortsmumbai.name
191. www.kirstygbasai.net
192. www.hiremumbaiescorts.com
193. www.meeraescorts.com/mumbai-escorts.php
194. 3–5–7star.biz
195. www.pranjaltiwari.com
196. www.richagupta.biz
197. way2heaven.biz
198. piya.co/
199. pinkflowers.info
200. www.beautifulmumbaiescorts.com
201. www.bestescortsinmumbai.com/charges-html
202. www.mumbaiescorts.me
203. www.tanikatondon.com
204. www.escortsinmumbai.biz
205. www.escortgirlmumbai.com
206. www.mumbaicallgrils.com
207. www.quickescort4u.com
208. www.mayamalhotra.com
209. www.legal-escort.com
210. escortsbaba.com/mumbai-escorts.html
211. rupa.biz
212. www.mumbaiescorts.agency/erotic-service-mumbai.html
213. www.escortscelebrity.com
214. www.independentescortservicemumbai.com/mumbai%20escort%20servi..
215. garimachopra.com
216. kajalgupta.biz
217. lipkiss.site
218. aanu.in
219. bombayescort.in
220. hotkiran.co.in
221. khushikapoor.in
222. joyapatel.in
223. rici.in
224. aaditi.in
225. andheriescorts.org.in
226. www.jiyapatel.in
227. spicymumbai.in
228. rimpyarora.in
229. lovemaking.co.in
230. riyadubey.co.in
231. escortservicesmumbai.in
232. mumbaiescorts.co.in
233. midnightprincess.in/
234. vashiescorts.co.in/
235. angee.in/
236. www.rozakhan.in/
237. www.mumbaiescortsvilla.in/
238. kylie.co.in/
239. escortservicemumbai.co.in

In March 2014, the US government announced that they were going to end the contract they have with ICANN to run the Internet Assigned Numbers Authority (IANA), and hand over control to the “global multistakeholder community”. They insisted that the plan for transition had to come through a multistakeholder process and have stakeholders “across the global Internet community”.

Why is the U.S. government removing the NTIA contract?

The main reason for the U.S. government's action is that it will get rid of a political thorn in the U.S. government's side: keeping the contract allows them to be called out as having a special role in Internet governance (with the Affirmation of Commitments between the U.S. Department of Commerce and ICANN, the IANA contract, and the cooperative agreement with Verisign), and engaging in unilateralism with regard to the operation of the root servers of the Internet naming system, while repeatedly declaring that they support a multistakeholder model of Internet governance.

This contradiction is what they are hoping to address. Doing away with the NTIA contract will also increase — ever so marginally — ICANN’s global legitimacy: this is something that world governments, civil society organizations, and some American academics have been asking for nearly since ICANN’s inception in 1998. For instance, here are some demands made in a declaration by the Civil Society Internet Governance Caucus at WSIS, in 2005:

“ICANN will negotiate an appropriate host country agreement to replace its California Incorporation, being careful to retain those aspects of its California Incorporation that enhance its accountability to the global Internet user community. "ICANN's decisions, and any host country agreement, must be required to comply with public policy requirements negotiated through international treaties in regard to, inter alia, human rights treaties, privacy rights, gender agreements and trade rules. … "It is also expected that the multi-stakeholder community will observe and comment on the progress made in this process through the proposed [Internet Governance] Forum."

In short: the objective of the transition is political, not technical. In an ideal world, we should aim at reducing U.S. state control over the core of the Internet's domain name system.¹

It is our contention that U.S. state control over the core of the Internet's domain name system is not being removed by the transition that is currently underway.

Why is the Transition Happening Now?

Despite the U.S. government having given commitments in the past that were going to finish the IANA transition by "September 30, 2000", (the White Paper on Management of Internet Names and Addresses states: "The U.S. Government would prefer that this transition be complete before the year 2000. To the extent that the new corporation is established and operationally stable, September 30, 2000 is intended to be, and remains, an 'outside' date.") and later by "fall of 2006",² those turned out to be empty promises. However, this time, the transition seems to be going through, unless the U.S. Congress manages to halt it.

However, in order to answer the question of "why now?" fully, one has to look a bit at the past.

In 1998, through the White Paper on Management of Internet Names and Addresses the U.S. government asserted it’s control over the root, and asserted — some would say arrogated to itself — the power to put out contracts for both the IANA functions as well as the 'A' Root (i.e., the Root Zone Maintainer function that Network Solutions Inc. then performed, and continues to perform to date in its current avatar as Verisign). The IANA functions contract — a periodically renewable contract — was awarded to ICANN, a California-based non-profit corporation that was set up exclusively for this purpose, but which evolved around the existing IANA (to placate the Internet Society).

Meanwhile, of course, there were criticisms of ICANN from multiple foreign governments and civil society organizations. Further, despite it being a California-based non-profit on contract with the government, domestically within the U.S., there was pushback from constituencies that felt that more direct U.S. control of the DNS was important.

As Goldsmith and Wu summarize:

"Milton Mueller and others have shown that ICANN’s spirit of “self-regulation” was an appealing label for a process that could be more accurately described as the U.S. government brokering a behind-the-scenes deal that best suited its policy preferences ... the United States wanted to ensure the stability of the Internet, to fend off the regulatory efforts of foreign governments and international organizations, and to maintain ultimate control. The easiest way to do that was to maintain formal control while turning over day-to-day control of the root to ICANN and the Internet Society, which had close ties to the regulation-shy American technology industry." [footnotes omitted]

And that brings us to the first reason that the NTIA announced the transition in 2014, rather than earlier.

ICANN Adjudged Mature Enough

The NTIA now sees ICANN as being mature enough: the final transition was announced 16 years after ICANN's creation, and complaints about ICANN and its legitimacy had largely died down in the international arena in that while. Nowadays, governments across the world send their representatives to ICANN, thus legitimizing ICANN. States have largely been satisfied by participating in the Government Advisory Council, which, as its name suggests, only has advisory powers. Further, unlike in the early days, there is no serious push for states assuming control of ICANN. Of course they grumble about the ICANN Board not following their advice, but no government, as far as I am aware, has walked out or refused to participate.

L'affaire Snowden

Many within the United States, and some without, believe that the United States not only plays an exceptional role to play in the running of the Internet — by dint of historical development and dominance of American companies — but that it ought to have an exceptional role because it is the best country to exercise 'oversight' over 'the Internet' (often coming from clueless commentators), and from dinosaurs of the Internet era, like American IP lawyers and American 'homeland' security hawks, Jones Day, who are ICANN's lawyers, and other jingoists and those policymakers who are controlled by these narrow-minded interests.

The Snowden revelations were, in that way, a godsend for the NTIA, as it allowed them a fig-leaf of international criticism with which to counter these domestic critics and carry on with a transition that they have been seeking to put into motion for a while. The Snowden revelations led Dilma Rousseff, President of Brazil, to state in September 2013, at the 68th U.N. General Assembly, that Brazil would "present proposals for the establishment of a civilian multilateral framework for the governance and use of the Internet", and as Diego Canabarro points out this catalysed the U.S. government and the technical community into taking action.

Given this context, a few months after the Snowden revelations, the so-called I* organizations met — seemingly with the blessing of the U.S. government³ — in Montevideo, and put out a 'Statement on the Future of Internet Governance' that sought to link the Snowden revelations on pervasive surveillance with the need to urgently transition the IANA stewardship role away from the U.S. government. Of course, the signatories to that statement knew fully well, as did most of the readers of that statement, that there is no linkage between the Snowden revelations about pervasive surveillance and the operations of the DNS root, but still they, and others, linked them together. Specifically, the I* organizations called for "accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing."

One could posit the existence of two other contributing factors as well.

Given political realities in the United States, a transition of this sort is probably best done before an ultra-jingoistic President steps into office.

Lastly, the ten-yearly review of the World Summit on Information Society was currently underway. At the original WSIS (as seen from the civil society quoted above) the issue of US control over the root was a major issue of contention. At that point (and during where the 2006 date for globalization of ICANN was emphasized by the US government).

Why Jurisdiction is Important

Jurisdiction has a great many aspects. Inter alia, these are:

• Legal sanctions applicable to changes in the root zone (for instance, what happens if a country under US sanctions requests a change to the root zone file?)
• Law applicable to resolution of contractual disputes with registries, registrars, etc.
• Law applicable to labour disputes.
• Law applicable to competition / antitrust law that applies to ICANN policies and regulations.
• Law applicable to disputes regarding ICANN decisions, such as allocation of gTLDs, or non-renewal of a contract.
• Law applicable to consumer protection concerns.
• Law applicable to financial transparency of the organization.
• Law applicable to corporate condition of the organization, including membership rights.
• Law applicable to data protection-related policies & regulations.
• Law applicable to trademark and other speech-related policies & regulations.
• Law applicable to legal sanctions imposed by a country against another.

Some of these, but not all, depend on where bodies like ICANN [the policy-making body], the IANA functions operator [the proposed "Post-Transition IANA"], and the root zone maintainer are incorporated or maintain their primary office, while others depend on the location of the office [for instance, Turkish labour law applies for the ICANN office in Istanbul], while yet others depend on what's decided by ICANN in contracts (for instance, the resolution of contractual disputes with ICANN, filing of suits with regard to disputes over new generic TLDs, etc.).

However, an issue like sanctions, for instance, depends on where ICANN/PTI/RMZ are incorporated and maintain their primary office.

As Milton Mueller notes, the current IANA contract "requires ICANN to be incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."

He further notes that:

While it is common to assert that the U.S. has never abused its authority and has always taken the role of a neutral steward, this is not quite true. During the controversy over the .xxx domain, the Bush administration caved in to domestic political pressure and threatened to block entry of the domain into the root if ICANN approved it (Declaration of the Independent Review Panel, 2010). It took five years, an independent review challenge and the threat of litigation from a businessman willing to spend millions to get the .xxx domain into the root.

Thus it is clear that even if the NTIA's role in the IANA contract goes away, jurisdiction remains an important issue.

U.S. Doublespeak on Jurisdiction

In March 2014, when NTIA finally announced that they would hand over the reins to “the global multistakeholder community”. They’ve laid down two procedural condition: that it be developed by stakeholders across the global Internet community and have broad community consensus, and they have proposed 5 substantive conditions that any proposal must meet:

• Support and enhance the multistakeholder model;
• Maintain the security, stability, and resiliency of the Internet DNS;
• Meet the needs and expectation of the global customers and partners of the IANA services; and,
• Maintain the openness of the Internet.
• Must not replace the NTIA role with a solution that is government-led or an inter-governmental organization.

In that announcement there is no explicit restriction on the jurisdiction of ICANN (whether it relate to its incorporation, the resolution of contractual disputes, resolution of labour disputes, antitrust/competition law, tort law, consumer protection law, privacy law, or speech law, and more, all of which impact ICANN and many, but not all, of which are predicated on the jurisdiction of ICANN’s incorporation), the jurisdiction(s) of the IANA Functions Operator(s) (i.e., which executive, court, or legislature’s orders would it need to obey), and the jurisdiction of the Root Zone Maintainer (i.e., which executive, court, or legislature’s orders would it need to obey).

However, Mr. Larry Strickling, the head of the NTIA, in his testimony before the U.S. House Subcommittee on Communications and Technology, made it clear that,

“Frankly, if [shifting ICANN or IANA jurisdiction] were being proposed, I don't think that such a proposal would satisfy our criteria, specifically the one that requires that security and stability be maintained.”

Possibly, that argument made sense in 1998, due to the significant concentration of DNS expertise in the United States. However, in 2015, that argument is hardly convincing, and is frankly laughable.⁴

Targetting that remark, in ICANN 54 at Dublin, we asked Mr. Strickling:

"So as we understand it, the technical stability of the DNS doesn't necessarily depend on ICANN's jurisdiction being in the United States. So I wanted to ask would the US Congress support a multistakeholder and continuing in the event that it's shifting jurisdiction."

Mr. Strickling's response was:

"No. I think Congress has made it very clear and at every hearing they have extracted from Fadi a commitment that ICANN will remain incorporated in the United States. Now the jurisdictional question though, as I understand it having been raised from some other countries, is not so much jurisdiction in terms of where ICANN is located. It's much more jurisdiction over the resolution of disputes.

"And that I think is an open issue, and that's an appropriate one to be discussed. And it's one I think where ICANN has made some movement over time anyway.

"So I think you have to ... when people use the word jurisdiction, we need to be very precise about over what issues because where disputes are resolved and under what law they're resolved, those are separate questions from where the corporation may have a physical headquarters."

As we have shown above, jurisdiction is not only about the jurisdiction of "resolution of disputes", but also, as Mueller reminds us, about the requirement that ICANN (and now, the PTI) be "incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."

In essence, the U.S. government has essentially said that they would veto the transition if the jurisdiction of ICANN or PTI's incorporation were to move out of the U.S., and they can prevent that from happening after the transition, since as things stand ICANN and PTI will still come within the U.S. Congress's jurisdiction.

Why Has the ICG Failed to Consider Jurisdiction?

Will the ICG proposal or the proposed new ICANN by-laws reduce existing U.S. control? No, they won't. (In fact, as we will argue below, the proposed new ICANN by-laws make this problem even worse.) The proposal by the names community ("the CWG proposal") still has a requirement (in Annex S) that the Post-Transition IANA (PTI) be incorporated in the United States, and a similar suggestion hidden away as a footnote. Further, the proposed by-laws for ICANN include the requirement that PTI be a California corporation. There was no discussion specifically on this issue, nor any documented community agreement on the specific issue of jurisdiction of PTI's incorporation.

Why wasn't there greater discussion and consideration of this issue? Because of two reasons: First, there were many that argued that the transition would be vetoed by the U.S. government and the U.S. Congress if ICANN and PTI were not to remain in the U.S. Secondly, the ICANN-formed ICG saw the US government’s actions very narrowly, as though the government were acting in isolation, ignoring the rich dialogue and debate that’s gone on earlier about the transition since the incorporation of ICANN itself.

While it would be no one’s case that political considerations should be given greater weightage than technical considerations such as security, stability, and resilience of the domain name system, it is shocking that political considerations have been completely absent in the discussions in the number and protocol parameters communities, and have been extremely limited in the discussions in the names community. This is even more shocking considering that the main reason for this transition is, as has been argued above, political.

It can be also argued that the certain IANA functions such as Root Zone Management function have a considerable political implication. It is imperative that the political nature of the function is duly acknowledged and dealt with, in accordance with the wishes of the global community. In the current process the political aspects of the IANA function has been completely overlooked and sidelined. It is important to note that this transition has not been a necessitated by any technical considerations. It is primarily motivated by political and legal considerations. However, the questions that the ICG asked the customer communities to consider were solely technical. Indeed, the communities could have chosen to overlook that, but they did not choose to do so. For instance, while the IANA customer community proposals reflected on existing jurisdictional arrangements, they did not reflect on how the jurisdictional arrangements should be post-transition , while this is one of the questions at the heart of the entire transition. There were no discussions and decisions as to the jurisdiction of the Post-Transition IANA: the Accountability CCWG's lawyers, Sidley Austin, recommended that the PTI ought to be a California non-profit corporation, and this finds mention in a footnote without even having been debated by the "global multistakeholder community", and subsequently in the proposed new by-laws for ICANN.

Why the By-Laws Make Things Worse & Why "Work Stream 2" Can't Address Most Jurisdiction Issues

The by-laws could have chosen to simply stayed silent on the matter of what law PTI would be incorporated under, but instead the by-law make the requirement of PTI being a California non-profit public benefit corporation part of the fundamental by-laws, which are close to impossible to amend.

While "Work Stream 2" (the post-transition work related to improving ICANN's accountability) has jurisdiction as a topic of consideration, the scope of that must necessarily discount any consideration of shifting the jurisdiction of incorporation of ICANN, since all of the work done as part of CCWG Accountability's "Work Stream 1", which are now reflected in the proposed new by-laws, assume Californian jurisdiction (including the legal model of the "Empowered Community"). Is ICANN prepared to re-do all the work done in WS1 in WS2 as well? If the answer is yes, then the issue of jurisdiction can actually be addressed in WS2. If the answer is no ­— and realistically it is — then, the issue of jurisdiction can only be very partially addressed in WS2.

Keeping this in mind, we recommended specific changes in the by-laws, all of which were rejected by CCWG's lawyers.

The Transition Plan Fails the NETmundial Statement

The NETmundial Multistakeholder Document, which was an outcome of the NETmundial process, states:

In the follow up to the recent and welcomed announcement of US Government with regard to its intent to transition the stewardship of IANA functions, the discussion about mechanisms for guaranteeing the transparency and accountability of those functions after the US Government role ends, has to take place through an open process with the participation of all stakeholders extending beyond the ICANN community

[...]

It is expected that the process of globalization of ICANN speeds up leading to a truly international and global organization serving the public interest with clearly implementable and verifiable accountability and transparency mechanisms that satisfy requirements from both internal stakeholders and the global community.

The active representation from all stakeholders in the ICANN structure from all regions is a key issue in the process of a successful globalization.

As our past analysis has shown, the IANA transition process and the discussions on the mailing lists that shaped it were neither global nor multistakeholder. The DNS industry represented in ICANN is largely US-based. 3 in 5 registrars are from the United States of America, whereas less than 1% of ICANN-registered registrars are from Africa. Two-thirds of the Business Constituency in ICANN is from the USA. While ICANN-the-corporation has sought to become more global, the ICANN community has remained insular, and this will not change until the commercial interests involved in ICANN can become more diverse, reflecting the diversity of users of the Internet, and a TLD like .COM can be owned by a non-American corporation and the PTI can be a non-American entity.

What We Need: Jurisdictional Resilience

It is no one's case that the United States is less fit than any other country as a base for ICANN, PTI, or the Root Zone Maintainer, or even as the headquarters for 9 of the world's 12 root zone operators (Verisign runs both the A and J root servers). However, just as having multiplicity of root servers is important for ensuring technical resilience of the DNS system (and this is shown in the uptake of Anycast by root server operators), it is equally important to have immunity of core DNS functioning from political pressures of the country or countries where core DNS infrastructure is legally situated and to ensure that we have diversity in terms of legal jurisdiction.

Towards this end, we at CIS have pushed for the concept of "jurisdictional resilience", encompassing three crucial points:

• Legal immunity for core technical operators of Internet functions (as opposed to policymaking venues) from legal sanctions or orders from the state in which they are legally situated.
• Division of core Internet operators among multiple jurisdictions
• Jurisdictional division of policymaking functions from technical implementation functions

Of these, the most important is the limited legal immunity (akin to a greatly limited form of the immunity that UN organizations get from the laws of their host countries). This kind of immunity could be provided through a variety of different means: a host-country agreement; a law passed by the legislature; a U.N. General Assembly Resolution; a U.N.-backed treaty; and other such options exist. We are currently investigating which of these options would be the best option.

And apart from limited legal immunity, distribution of jurisdictional control is also valuable. As we noted in our submission to the ICG in September 2015:

Following the above precepts would, for instance, mean that the entity that performs the role of the Root Zone Maintainer should not be situated in the same legal jurisdiction as the entity that functions as the policymaking venue. This would in turn mean that either the Root Zone Maintainer function be taken up Netnod (Sweden-headquartered) or the WIDE Project (Japan-headquartered) [or RIPE-NCC, headquartered in the Netherlands], or that if the IANA Functions Operator(s) is to be merged with the RZM, then the IFO be relocated to a jurisdiction other than those of ISOC and ICANN. This, as has been stated earlier, has been a demand of the Civil Society Internet Governance Caucus. Further, it would also mean that root zone servers operators be spread across multiple jurisdictions (which the creation of mirror servers in multiple jurisdictions will not address).

However, the issue of jurisdiction seems to be dead-on-arrival, having been killed by the United States government.

Unfortunately, despite the primary motivation for demands for the IANA transition being those of removing the power the U.S. government exercises over the core of the Internet's operations in the form of the DNS, what has ended up happening through the IANA transition is that these powers have not only not been removed, but in some ways they have been entrenched further! While earlier, the U.S. had to specify that the IANA functions operator had to be located in the U.S., now ICANN's by-laws themselves will state that the post-transition IANA will be a California corporation. Notably, while the Montevideo Declaration speaks of "globalization" of ICANN and of the IANA functions, as does the NETmundial statement, the NTIA announcement on their acceptance of the transition proposals speaks of "privatization" of ICANN, and not "globalization".

All in all, the "independence" that IANA is gaining from the U.S. is akin to the "independence" that Brazil gained from Portugal in 1822. Dom Pedro of Brazil was then ruling Brazil as the Prince Regent since his father Dom João VI, the King of United Kingdom of Portugal, Brazil and the Algarves had returned to Portugal. In 1822, Brazil declared independence from Portugal (which was formally recognized through a treaty in 1825). Even after this "independence", Dom Pedro continued to rule Portugal just as he had before indepedence, and Dom João VI was provided the title of "Emperor of Brazil", aside from being King of the United Kingdom of Portugal and the Algarves. The "indepedence" didn't make a whit of a difference to the self-sufficiency of Brazil: Portugal continued to be its largest trading partner. The "independence" didn't change anything for the nearly 1 million slaves in Brazil, or to the lot of the indigenous peoples of Brazil, none of whom were recognized as "free". It had very little consequence not just in terms of ground conditions of day-to-day living, but even in political terms.

Such is the case with the IANA Transition: U.S. power over the core functioning of the Domain Name System do not stand diminished after the transition, and they can even arguably be said to have become even more entrenched. Meet the new boss: same as the old boss.

The Telecom Regulatory Authority of India (TRAI) asked for public comments on free data. Below are the comments that CIS submitted to the four questions that it posed.

Question 1

Is there a need to have TSP agnostic platform to provide free data or suitable reimbursement to users, without violating the principles of Differential Pricing for Data laid down in TRAI Regulation? Please suggest the most suitable model to achieve the objective.

Is There a Need for Free Data?

No, there is no need for free data, just as there is no need for telephony or Internet. However, making provisions for free data would increase the amount of innovation in the Internet and telecom sector, and there is a good probability that it would lead to faster adoption of the Internet, and thus be beneficial in terms of commerce, freedom of expression, freedom of association, and many other ways.

Thus the question that a telecom regulator should ask is not whether there is a need for TSP agnostic platforms, but whether such platforms are harmful for competition, for consumers, and for innovation. The telecom regulator ought not undertake regulation unless there is evidence to show that harm has been caused or that harm is likely to be caused. In short, TRAI should not follow the precautionary principle, since the telecom and Internet sectors are greatly divergent from environmental protection: the burden of proof for showing that something ought to be prohibited ought to be on those calling for prohibition.

Goal: Regulating Gatekeeping

TRAI wouldn’t need to regulate price discrimination or Net neutrality if ISPs were not “gatekeepers” for last-mile access. “Gatekeeping” occurs when a single entity establishes itself as an exclusive route to reach a large number of people and businesses or, in network terms, nodes. It is not possible for Internet services to reach their end customers without passing through ISPs (generally telecom networks). The situation is very different in the middle-mile and for backhaul. Even though anti-competitive terms may exist in the middle-mile, especially given the opacity of terms in “transit agreements”, a packet is usually able to travel through multiple routes if one route is too expensive (even if that is not the shortest network path, and is thus inefficient in a way). However, this multiplicity of routes is generally not possible in the last mile.¹ This leaves last mile telecom operators (ISPs) in a position to unfairly discriminate between different Internet services or destinations or applications, while harming consumer choice.

However, the aim of regulation by TRAI cannot be to prevent gatekeeping, since that is not possible as long as there are a limited number of ISPs. For instance, even by the very act of charging money for access to the Internet, ISPs are guilty of “gatekeeping” since they are controlling who can and cannot access an Internet service that way. Instead, the aim of regulation by TRAI should be to “regulate gatekeepers to ensure they do not use their gatekeeping power to unjustly discriminate between similarly situated persons, content or traffic”, as we proposed in our submission to TRAI (on OTTs) last year.

Models for Free Data

There are multiple models possible for free data, none of which TRAI should prohibit unless it would enable OTTs to abuse their gatekeeping powers.

Government Incentives For Non-Differentiated Free Data

The government may opt to require all ISPs to provide free Internet to all at a minimum QoS in exchange for exemption from paying part of their USO contributions, or the government may pay ISPs for such access using their USO contributions.

TRAI should recommend to DoT that it set up a committee to study the feasibility of this model.

ISP subsidies

ISP subsidies of Internet access only make economic sense for the ISP under the following ‘Goldilocks’ condition is met: the experience with the subsidised service is ‘good enough’ for the consumers to want to continue to use such services, but ‘bad enough’ for a large number of them to want to move to unsubsidised, paid access.

1. Providing free Internet to all at a low speed.
   1. This naturally discriminates against services and applications such as video streaming, but does not technically bar access to them.
2. Providing free access to the Internet with other restrictions on quality that aren’t discriminatory with respect to content, services, or applications.

Rewards model

A TSP-agnostic rewards platform will only come within the scope of TRAI regulation if the platform has some form of agreement with the TSPs, even if it is collectively. If the rewards platform doesn’t have any agreement with any TSP, then TRAI does not have the power to regulate it. However, if the rewards platform has an agreement with any TSP, it is unclear whether it would be allowed under the Differential Data Tariff Regulation, since the clause 3(2) read with paragraph 30 of the Explanatory Memorandum might disallow such an agreement.

Assuming for the sake of argument that platforms with such agreements are not disallowed, such platforms can engage in either post-purchase credits or pre-purchase credits, or both. In other words, it could be a situation where a person has to purchase a data pack, engage in some activity relating to the platform (answer surveys, use particular apps, etc.) and thereupon get credit of some form transferred to one’s SIM, or it could be a situation where even without purchasing a data pack, a consumer can earn credits and thereupon use those credits towards data.

The former kind of rewards platform is not as useful when it comes to encouraging people to use the Internet, since only those who already see worth in using in the Internet (and can afford it) will purchase a data pack in the first place. The second form, on the other hand is quite useful, and could be encouraged. However, this second model is not as easily workable, economically, for fixed line connections, since there is a higher initial investment involved.

Recharge API

A recharge API could be fashioned in one of two ways: (1) via the operating system on the phone, allowing a TSP or third parties (whether OTTs or other intermediaries) to transfer credit to the SIM card on the phone which have been bought wholesale. Another model could be that of all TSPs providing a recharge API for the use of third parties. Only the second model is likely to result in a “toll-free” experience since in the first model, like in the case of a rewards platform that requires up-front purchase of data packs, there has to be a investment made first before that amount is recouped. This is likely to hamper the utility of such a model.

Further, in the first case, TRAI would probably not have the powers to regulate such transactions, as there would be no need for any involvement by the TSP. If anti-competitive agreements or abuse of dominant position seems to be taking place, it would be up to the Competition Commission of India to investigate.

However, the second model would have to be overseen by TRAI to ensure that the recharge APIs don’t impose additional costs on OTTs, or unduly harm competition and innovation. For instance, there ought to be an open specification for such an API, which all the TSPs should use in order to reduce the costs on OTTs. Further, there should be no exclusivity, and no preferential treatment provided for the TSPs sister concerns or partners.

“0.example” sites

Other forms of free data, for instance by TSPs choosing not to charge for low-bandwidth traffic should be allowed, as long as it is not discriminatory, nor does it impose increased barriers to entry for OTTs. For instance, if a website self-certifies that it is low-bandwidth and optimized for Internet-enabled feature phones and uses 0.example.tld to signal this (just as wap.* were used in for WAP sites and m.* are used for mobile-optimized versions of many sites), then there is no reason why TSPs should be prohibited from not charging for the data consumed by such websites, as long as the TSP does so uniformly without discrimination. In such cases, the TSP is not harming competition, harming consumers, nor abusing its gatekeeping powers.

OTT-agnostic free data

If a TSP decides not to charge for specific forms of traffic (for example, video, or for locally-peered traffic) regardless of the Internet service from which that traffic emanates, as as long as it does so with the end customer’s consent, then there is no question of the TSP harming competition, harming consumers, nor abusing its gatekeeping powers. There is no reason such schemes should be prohibited by TRAI unless they distort markets and harm innovation.

Unified marketplace

One other way to do what is proposed as the “recharge API” model is to create a highly-regulated market where the gatekeeping powers of the ISP are diminished, and the ISP’s ability to leverage its exclusive access over its customers are curtailed. A comparison may be drawn here to the rules that are often set by standard-setting bodies where patents are involved: given that these patents are essential inputs, access to them must be allowed through fair, reasonable, and non-discriminatory licences. Access to the Internet and common carriers like telecom networks, being even more important (since alternatives exist to particular standards, but not to the Internet itself), must be placed at an even higher pedestal and thus even stricter regulation to ensure fair competition.

A marketplace of this sort would impose some regulatory burdens on TRAI and place burdens on innovations by the ISPs, but a regulated marketplace harms ISP innovation less than not allowing a market at all.

At a minimum, such a marketplace must ensure non-exclusivity, non-discrimination, and transparency. Thus, at a minimum, a telecom provider cannot discriminate between any OTTs who want similar access to zero-rating. Further, a telecom provider cannot prevent any OTT from zero-rating with any other telecom provider. To ensure that telecom providers are actually following this stipulation, transparency is needed, as a minimum.

Transparency can take one of two forms: transparency to the regulator alone and transparency to the public. Transparency to the regulator alone would enable OTTs and ISPs to keep the terms of their commercial transactions secret from their competitors, but enable the regulator, upon request, to ensure that this doesn’t lead to anti-competitive practices. This model would increase the burden on the regulator, but would be more palatable to OTTs and ISPs, and more comparable to the wholesale data market where the terms of such agreements are strictly-guarded commercial secrets. On the other hand, requiring transparency to the public would reduce the burden on the regulator, despite coming at a cost of secrecy of commercial terms, and is far more preferable.

Beyond transparency, a regulation could take the form of insisting on standard rates and terms for all OTT players, with differential usage tiers if need be, to ensure that access is truly non-discriminatory. This is how the market is structured on the retail side.

Since there are transaction costs in individually approaching each telecom provider for such zero-rating, the market would greatly benefit from a single marketplace where OTTs can come and enter into agreements with multiple telecom providers.

Even in this model, telecom networks will be charging based not only on the fact of the number of customers they have, but on the basis of them having exclusive routing to those customers. Further, even under the standard-rates based single-market model, a particular zero-rated site may be accessible for free from one network, but not across all networks: unlike the situation with a toll-free number in which no such distinction exists.

To resolve this, the regulator may propose that if an OTT wishes to engage in paid zero-rating, it will need to do so across all networks, since if it doesn’t there is risk of providing an unfair advantage to one network over another and increasing the gatekeeper effect rather than decreasing it.

Question 2

Whether such platforms need to be regulated by the TRAI or market be allowed to develop these platforms?

In many cases, TRAI would have no powers over such platforms, so the question of TRAI regulating does not arise. In all other cases, TRAI can allow the market to develop such platforms, and then see if any of them violates the Discriminatory Data Tariffs Regualation. For government-incentivised schemes that are proposed above, TRAI should take proactive measure in getting their feasibility evaluated.

Question 3

Whether free data or suitable reimbursement to users should be limited to mobile data users only or could it be extended through technical means to subscribers of fixed line broadband or leased line?

Spectrum is naturally a scarce resource, though technological advances (as dictated by Cooper’s Law) and more efficient management of spectrum make it less so. However, we have seen that fixed-line broadband has more or less stagnated for the past many years, while mobile access has increased. So the market distortionary power of fixed-line providers is far less than that of mobile providers. However, competition is far less in fixed-line Internet access services, while it is far higher in mobile Internet access. Switching costs in fixed-line Internet access services are also far higher than in mobile services. Given these differences, the regulation with regard to price discrimination might justifiably be different.

All in all, for this particular issue, it is unclear why different rules should apply to mobile users and fixed line users.

Question 4

Any other issue related to the matter of Consultation.

None.

1. What are the Sustainable Development Goals?

2. The Need for a Data Revolution

3. Big Data: Characteristics and Use for Development

3.1. Characteristics of Big Data

3.2. Using Big Data for Development

4. Sustainable Development and Data Rights

5. Governance Frameworks Proposed

5.1. UN Sustainable Development Solutions Network

5.2. The UN DATA Revolution Group

5.3. Organization for Economic Co-Operation and Development

5.4. The Global Partnership for Sustainable Development of Data

5.5. The World Economic Forum (WEF)

5.6. Dr. Julia Lane - A Quadruple Data Helix

5.7. Data Pop Alliance

6. Conclusion

7. Endnotes

8. Author Profile

Speaking on Big Data, Dan Ariely commented that, "Everyone talks about it, nobody really knows how to do it, and everyone thinks everyone else is doing it, so everyone claims they are doing it" [1]. This offers a useful insight into the lack of adequate discourse on the kind of governance and accountability frameworks that are needed to facilitate the developmental, sustainable, and responsible uses of big data.

In light of the recent international proposals to use big data to track the Sustainable Development Goals, this paper highlights the different models of management, sharing, and governance of data that are being discussed, and concurrently, how they conceptualise the various rights around big data and how are they to be protected.

1. What are the Sustainable Development Goals?

The Sustainable Development Goals, otherwise known as the Global Goals, build on the Millennium Development Goals (MDGs). Adopted on 1 January 2016, these universally applicable 17 goals of the 2030 Agenda for Sustainable Development, seek to end all forms of poverty, fight inequalities, tackle climate change and address a range of social needs like education, health, social protection and job opportunities over the next 15 years [2].

Source: UN Data Revolution Group, A World that Counts, 2014, p.12.

2. The Need for a Data Revolution

An overwhelming cause of concern regarding the precursor to the SDGs, the MDGs, is the data unavailability to monitor their progress. For instance, the figure below indicates that there is no five-year period when the availability of MDG related data is more than 70% of what is required. Entire groups of people and key issues remain invisible [3]. Lack of data is not only a problem for global statisticians, but also for people whose needs and demands remain invisible due to lack of quantitative representation of the same. For instance, the incidences of gender related crimes when not recorded could lead to a misconception on the achievement of the MDG of gender equality.

Source: UN, Sustainable Development Goals.

As the new goals (SDGs) cover a wider range of issues it is clear that a far higher level of detail is required. To this effect the High-Level Panel of Eminent Persons on the post-2015 agenda has called for a "data revolution for sustainable development" [4].

The world is experiencing a Data Revolution and a "data deluge." One estimate has it that 90% of the data in the world has been created in the last 2 years. As Eric Schmidt of Google in 2010 famously said, "There were 5 exabytes of information created between the dawn of civilization through 2003, but that much information is now created every 2 days [5].

In its report A World that Counts, the UN Data Revolution Group defines the data revolution as an explosion in the volume of data, the speed with which data are produced, the number of producers of data, the dissemination of data, and the range of things on which there is data, coming from new technologies such as mobile phones and the “internet of things”, and from other sources, such as qualitative data, citizen-generated data and perceptions data [6].

This data revolution in the context of sustainable development has been defined by the UN Secretary General’s Independent Expert Advisory Group (IEAG) as follows:

[T]he integration of data coming from new technologies with traditional data in order to produce relevant high‐quality information with more details and at higher frequencies to foster and monitor sustainable development. This revolution also entails the increase in accessibility to data through much more openness and transparency, and ultimately more empowered people for better policies, better decisions and greater participation and accountability, leading to better outcomes for the people and the planet [7].

The majority of such “data coming from new technologies” is what can be called big data. It is data being generated in real-time, in high velocity and volume, in a variety of forms and formats, and on an increasing range of phenomenon that are being mediated by digital technologies – from governance to human communication. Further, a good part of such big data is not about the content of the phenomenon concerned but about its process – for example, Call Detail Records are generated for each mobile phone call a person makes and it contains data about the process of the call (time, location, duration, recipient, etc.) but not about the content of the call. Big data about various governmental and human processes are becoming a crucial instrument for documenting and monitoring of the same.

3. Big Data: Characteristics and Use for Development

3.1. Characteristics of Big Data

The simplest definition of big data is that it is a dataset of more than 1 petabyte. The US Bureau of Labour Statistics terms it to be non-sampled data, characterized by the creation of databases from electronic sources whose primary purpose is something other than statistical inference [8].

The characteristics which broadly distinguish Big Data are sometimes called the “3 V’s”: more volume, more variety and higher rates of velocity [9]. Big data sources generally share some or all of these features [10]:

• Digitally generated,
• Passively produced,
• Automatically collected,
• Geographically or temporally trackable, and
• Continuously analysed.

Increasingly, Big Data is recognised as creating "new possibilities for international development" [11]. It could provide faster, cheaper, more granular data and help meet growing and changing demands. It was claimed, for example, that "Google knows or is in a position to know more about France than INSEE" [12], its highly resourceful national statistical agency. To illustrate, Global Pulse gives the example of a hypothetical small household facing soaring commodity prices, particularly food and fuel [13]. They have the options of:

• Getting part of their food at a nearby World Food Programme distribution centre,
• Reducing mobile usage,
• Temporarily taking their children out of school,
• Calling a health hotline when children show signs of malnutrition related diseases, and
• Venting about their frustration on social media.

Such a systemic shock of food insecurity will prompt thousands of households to react in roughly similar ways. These collective behavioural changes may show up in different digital data sources:

• WFP might record that it serves twice as many meals a day,
• The local mobile operator may see reduced usage,
• UNICEF data may indicate that school attendance has dropped,
• Health hotlines might see increased volumes of calls reporting malnutrition, and
• Tweets mentioning the difficulty to “afford food” might begin to rise.

Thus the power of real-time, digital data to predict paths for development is immense. Amassing such a large volume of data which tracks practically every aspect of social behavious can revolutionize the field of official statistics and policy making.

Two points to be noted are: 1) all these data sources are not available for comparison in the real-time by default, so one task before using big data in developmental work is to make data from different sources available across agencies and make them comparable, and 2) finding repeating patterns within large data sets, sourced from varied origins, can not only allow for monitoring but also (statistically) predicting future possibilities and implications for development action.

3.2. Using Big Data for Development

There are several international organizations attempting to use such data.

Global Pulse, a United Nations initiative, launched by the Secretary-General in 2009, seeks to leverage innovations in digital data, rapid data collection and analysis to help decision-makers gain a real-time understanding of how crises impact vulnerable populations. To this end, Global Pulse is establishing an integrated, global network of Pulse Labs, anchored in Pulse Lab New York, to pilot the approach at country level [14].

The Global Working Group on Big Data for Official Statistics, created in May 2014, pursuant to Statistical Commission, makes an inventory of ongoing activities and examples regarding the use of big data, addresses concerns related to methodology, human resources, quality and confidentiality, and develops guidelines on classifying various types of big data sources [15].

There have been applications even on a national and individual level. For instance, in 2013, various sources reported that the CIA had admitted to the “full monitoring of Facebook, Twitter, and other social networks” to identify links between events and sequences or paths leading to national security threats, ultimately leading to forecasting future activities and events [16].

In the field of conflict prevention is the emerging applications to map and analyse unstructured data generated by politically active Internet use by academics, activists, civil society organizations, and even general citizens. In reference to Iran’s post-election crisis beginning in 2009, it is possible to detect web-based usage of terms that reflect a general shift from awareness towards mobilization, and eventually action within the population [17].

The "Big Data, Small Credit" report proposes that financial inclusion can be promoted by allowing consumers with mobile phones to access credit formally as customers [18].

At a national level, the biggest challenge for most big data projects is the limited or restricted access the government agencies have to potential big data sets owned by the private sector [19]. The overall consensus is that Big Data to track SDGs must complement traditional data sources [20]. This is because big data may not always be available for the entire population, or include a diverse enough sample of the population. Moreover most big data projects measure development indicators through a correlation which may not always be correct unlike official data. For instance big data might help in predicting lowered household income through reducing mobile bills while traditional data directly collects income statistics.

In a survey by the Global Working Group on Big Data for Official Statistics [21], it was found that only a few countries have developed a long-term vision for the use of big data, while many are formulating a big data strategy. Most countries have not yet defined business processes for integrating big data sources and results into their work and do not have a defined structure for managing big data projects.

Thus there exists a need to identify a governance framework for big data for sustainable development, not only at national level, but also at the international level.

4. Sustainable Development and Data Rights

Any discussion on governance frameworks would be incomplete without defining the kind of data rights they must seek to protect.

In the famous parable of the six blind men and the elephant they conclude that the elephant is like a wall, snake, spear, tree, fan or rope, depending upon where they touch. Similarly Internet experiences of individual users (what they touch) often contrast drastically with different views (what they conclude) on what would constitute data rights.

The IEAG in its report has identified the following set of data related rights, but has not defined any actual framework or process for ensuring them (yet) [22]:

• Right to be counted,
• Right to an identity,
• Right to privacy and to ownership of personal data,
• Right to due process (for example when data is used as evidence in proceedings, or in administrative decisions),
• Freedom of expression,
• Right to participation,
• Right to non-discrimination and equality, and
• Principles of consent.

Personal data is broadly defined as "any information relating to an identified or identifiable individual" [23]. Often primary data producers (users of services and devices generating data) are unaware of individual privacy infringements [24].

A survey by the Global Working Group on Big Data for Official Statistics found that only a few countries have a specific privacy framework for big data, while most apply the privacy framework for traditional statistics to big data as well [25].

Conventionally, safeguards against the re-use of big data to protect data rights have involved the “anonymization” or “de-identification” of data, to conceal individual identities. Global Pulse, for instance, is putting forth the concept of Data Philanthropy, whereby "corporations take the initiative to anonymize (strip out all personal information) their data sets and provide this data to social innovators to mine the data for insights, patterns and trends in real-time or near real-time" [26]. There however exists a debate on whether data can actually be anonymized effectively. Several state that data can never be effectively de-anonymized due to technological challenges [27]. For instance, when the New York City government released de-anonymised data sets of New York cab drivers were made re-identifiable by approaching a separate method. Within less than 2 hours work, researchers knew which driver drove every single trip in this entire dataset. It would be even be easy to calculate drivers’ gross income, or infer where they live [28].

Even the OECD opines that the current model of limiting identifiability of individuals is unsustainable. It recommends moving towards one where the focus is on transparency around how data is being used, rather than preventing specific types of use, stating that - "research funding agencies and data protection authorities should collaborate to develop an internationally recognized framework code of conduct covering the use of new forms of personal data, particularly those generated via network communication. This framework, built on best practice procedures for consent from data subjects, data sharing and re-use, anonymization methods, etc., could be adapted as necessary for specific national circumstances" [29].

Thus, there is a push for the arguement that the historical approaches to protecting privacy and confidentiality — namely, informed consent and anonymity — no longer hold [30]. Some have even suggested using big data itself to keep track of user permissions for each piece of data to act as a legal contract [31].

There is an overall consensus that any legal or regulatory mechanisms set up to mobilise the 'data revolution for sustainable development' should protect the data rights of the people [32], without any clear agreement on what these rights may be.

5. Governance Frameworks Proposed

A largely unanswered question that is posed in light of the emerging consensus on the use of Big Data for monitoring SDGs is within what sort of governance frameworks these data collection and analysis methods will operate. Methods of collection and the key actors involved in data analysis, management, storage and coordination. The role of NGOs and CSOs, if any, within these systems must be delineated. Certain key global organizations and eminent researchers have suggested the following models.

5.1. UN Sustainable Development Solutions Network

In 2012, the UN Secretary-General launched the UN Sustainable Development Solutions Network (SDSN) to mobilize global scientific and technological expertise to promote practical problem solving for sustainable development, including the design and implementation of the Sustainable Development Goals (SDGs) [33]. It has proposed the following.

Collection

The Inter-Agency and Expert Group on Sustainable Development Goal Indicators (IAEGSDG) and the United Nations Statistical Commission are to establish roadmaps for strengthening specific data collection tools that enable the monitoring of SDG indicators.

Analysis

Based on discussions with a large number of statistical offices, including Eurostat, BPS Indonesia, the OECD, the Philippines, the UK, and many others, 100 is recommended to be the maximum number of global indicators to analyse data for which NSOs can report and communicate effectively in a harmonized manner. This conclusion was strongly endorsed during the 46th UN Statistical Commission and the Expert Group Meeting on SDG indicators [34].

Specialist indicators developed by thematic communities must be used for data analysis as they include input and process metrics that are helpful complements to official indicators, which tend to be more outcome-focused. For example, the UN Inter-Agency Group on Child Mortality Estimation has developed a specialist hub responsible for analysing, checking, and improving mortality estimation. This is a leading source for child morality information for both governments and non-governmental actors [35].

Research arms of private companies such as Microsoft Research, IBM research, SAS, and R&D arms of telecom companies could directly partner with official statistical systems to share sophisticated analysing techniques [36].

Management

Four levels of monitoring, national, regional, global, and thematic, should be "organized in an integrated architecture" [37].

Countries must decide individually whether official data must be complemented with non-official indicators from big data which can add richness to the monitoring of the SDGs.

Where possible, regional monitoring should build on existing regional mechanisms, such as the Regional Economic Commissions, the Africa Peer Review Mechanism, or the Asia-Pacific Forum on Sustainable Development [38].

To coordinate thematic monitoring under the SDGs, each thematic initiative may have one or more lead specialist agencies or “custodians” as per the IAEG-MDG monitoring processes. Lead agencies would be responsible for convening multi-stakeholder groups, compiling detailed thematic reports, and encouraging ongoing dialogues on innovation. These thematic groups can become testing grounds in launching a data revolution for the SDGs, trialling new measurements and metrics that in time can feed into the global monitoring process with annual reports [39].

Schematic illustration with explanation of the indicators for national, regional, global, and thematic monitoring.
Source: UN Sustainable Development Solutions Network, Indicators and a Monitoring Framework for the Sustainable Development Goals: Launching a Data Revolution for the SDGs, 2015, p.3.

Role of NSOs

Monitoring the SDG agenda will require substantive improvements in national statistical capacity. Assessments of existing capacity to fulfil SDG monitoring expectations must be undertaken and needs be integrated into National Strategies for the Development of Statistics (NSDSs) [40].

Coordination

A Global Partnership for Sustainable Development Data must be established and a World Forum on Sustainable Development Data be convened in 2016 to create mechanisms for ongoing collaboration and innovation.

A high-level, powerful group of businesses and states must convene the various data and transparency sustainable development initiatives under one umbrella.

To ensure comparability, Global Monitoring Indicators must be harmonized across countries by one lead technical or specialist agency which will additionally coordinate data standards and collection and provide technical support.

The following table indicates the suggested Lead Agencies for individual SDGs [41].

5.2. The UN DATA Revolution Group

The group constituted by the UN Secretary-General Ban Ki-moon in August 2014, is an Independent Expert Advisory Group with the aim of making concrete recommendations on bringing about a 'data revolution for sustainable development' [42]. In its report, A World that Counts, it makes the following recommendations [43].

Collection

Clear standards on data collection methods must be developed based on the UN Fundamental Principles of Official Statistics. Periodic audits must be conducted by professional and independent third parties to ensure data quality.

Governments, civil society, academia and the philanthropic sector must work together strengthening statistical literacy so that all people have capacity to input into and evaluate the quality of data.

Social entrepreneurs, private sector, academia, media, civil society and other individuals and institutions must be engaged globally with incentives (prizes, data challenges) to encourage data sharing.

Analysis

A SDGs Analysis and Visualisation Platform is to be set up for fostering private-public partnerships and community-led peer-production efforts for data analysis.

A dashboard on ”the state of the world” will engage the UN, think-tanks, academics and NGOs in analysing, and auditing data.

Academics and scientists are to analyse data to provide long-term perspectives, knowledge and data resources at all levels.

The “Global Forum of SDG-Data Users” will ensure feedback loops between data producers, processors and users to improve the usefulness of data and information produced.

A “SDGs data lab” to support the development of a first wave of SDG indicators is to be established mobilizing key public, private and civil society data providers, academics and stakeholders working with the Sustainable Development Solutions Network.

Storage

A “world statistics cloud” will store data and metadata produced by different institutions but according to common standards, rules and specifications.

Role of NSOs

Civil society organisations must share data and processing methods with private and public counterparts on the basis of agreements. They must hold governments and companies accountable using evidence on the impact of their actions, provide feedback to data producers, develop data literacy and help communities and individuals generate and use data.

NSOs are the central players of the Data Revolution. Their autonomy must be strengthened to maintain data quality. They must abandon expensive and cumbersome production processes, incorporate new data sources like big data that is human and machine-readable, compatible with geospatial information systems and available quickly enough to ensure that the data cycle matches the decision cycle. Collaborations with the private sector can boost technical and financial investments.

Coordination

Key stakeholders must create a “Global Consensus on Data”, to adopt principles concerning legal, technical, privacy, geospatial and statistical standards. Best practices related to public data such as the Open Government Partnership (OGP) and the G8 Open Data Charter are recommended foundations for such principles.

A UN-led “Global Partnership for Sustainable Development Data” is proposed, to coordinate and broker key global public-private partnerships for data sharing [44].

A “World Forum on Sustainable Development Data” and “Network of Data Innovation Networks” will be a converging point for the data ecosystem to share ideas and experiences for improvements, innovation and technology transfer.

5.3. Organization for Economic Co-Operation and Development (OECD)

The Organisation for Economic Co-operation and Development (OECD) is an inter-governmental organization that seeks to promote policies that will improve the economic and social well-being of people globally. It has made the following proposals [45].

Collection

Data is to be collected from National statistical agencies, national and international researchers and international organisations.

Role of NSOs

By leveraging the expertise of telecommunications companies and software developers, for instance, national statistical systems could potentially reduce costs and improve the availability of data to monitor development goals [46].

Coordination

National Data Forums for Social Science Data must be created for the development of social science data for improved coordination between social scientists, data producers (national statistical agencies, government departments, large private sector businesses and sources undertaking academic direction), and data curators.

Social science research communities must contribute to national plans of action after a needs assessment [47]. Research funding agencies must collaborate at the international level for a common system for referencing datasets in research publications [48].

5.4. The Global Partnership for Sustainable Development of Data

The partnership is a global network of governments, NGOs, and businesses working to strengthen the inclusivity, trust, and innovation in the way that data is used to address the world’s sustainable development efforts [49].

Analysis

There must be a common framework for information processing. At minimum, a simple lexicon must tag each datum specifying:

• What: i.e. the type of information contained in the data,
• Who: the observer or reporter,
• How: the channel through which the data was acquired,
• How much: whether the data is quantitative or qualitative, and
• Where and when: the spatio-temporal granularity of the data.

Analysis of data involves filtering relevant information, summarising keywords and categorising into indicators. This intensive mining of socioeconomic data, known as “reality mining,” can be done by: (1) Continuous analysis of real time streaming data, (2) Digestion of semi-structured and unstructured data to determine perceptions, needs and wants. (3) Real-time correlation of streaming data with slowly accessible historical data repositories.

Use of big data for developmental goals can draw upon all three techniques to various degrees depending on availability of data and the specific needs.

Role of NSOs

NSOs have a pivotal part to play in the data revolution. Countries and organizations believe that big data cannot replace traditional official statistical data as it is based more on perception than facts. To quote Winston Churchill, "Do not trust any statistics that you did not fake yourself."

For instance, a study found that Google Flu Trends, to detect influenza epidemics, predicted nonspecific flu-like respiratory illnesses well but not actual flu. The mismatch was due to popular misconceptions on influenza symptoms. This has important policy implications. Doctors using Google Flu Trends may overstock on flu vaccines or be overly inclined to diagnose normal respiratory illnesses as influenza [50].

However Big Data if understood correctly, can inform where further targeted investigation is necessary and give immediate responses to favourably change outcomes.

5.5. The World Economic Forum (WEF)

The WEF is an International Organization for Public-Private Cooperation. It engages the foremost political, business and other leaders of society to shape global, regional and industry agendas [51]. In the report titled Big Data, Big Impact: New Possibilities for International Development, it makes the following recommendations [52].

Collection

Data production and development actors include individuals, public sector and the private sector. Each produce different kinds of data that have unique requirements. The private sector maintains vast troves of transactional data, much of which is "data exhaust," or data created as a by-product of other transactions. The public sector maintains enormous datasets in the form of census data, health indicators, and tax and expenditure information. The following figure highlights the different kinds of data that each sector collects and what incentives they have to share the data along with requirements to maintain such data.

World Economic Forum - Diagram on Data Commons.
Source: World Economic Forum, Big Data, Big Impact: New Possibilities for International Development, 2012, p.4.

Business models must be created to provide the appropriate incentives for private-sector actors to share data. Such models already exist in the Internet environment. For instance companies in search and social networking profit from products they offer at no charge to end users because the usage data these products generate is valuable to other ecosystem actors. Similar models could be created in garnering Big Data for SDGs. The following flowchart illustrates how different sectors must work together to incentivise data collection and sharing.

World Economic Forum - Diagram on Global Coordination.
Source: World Economic Forum, Big Data, Big Impact: New Possibilities for International Development, 2012, p.7.

5.6. Dr. Julia Lane - A Quadruple Data Helix

Dr. Julia Lane is a Professor in the Wagner School of Public Policy at New York University; and also a Provostial Fellow in Innovation Analytics and a Professor in the Center for Urban Science and Policy [53]. She has done extensive research on the uses of big data. In her paper titled "Big Data for Public Policy: A Quadruple Data Helix," she makes the following suggestions [54].

Collection

In the future there will exist a model of a quadruple data helix for data collection which will have four strands — state and city agencies, universities, private data providers, and federal agencies.i

A new set of institution, city/university data facilities, must be established. These institutions should form the backbone of the quadruple helix, with direct connections to the private sector and to the federal statistical agencies.

Analysis

There is a need for graduate training for non-traditional students, who need to understand how to use data science tools as part of their regular employment. They must identify and capture the appropriate data, understand how data science models and tools can be applied, and determine how associated errors and limitations can be identified from a social science perspective.i

Universities can act as a trusted independent third party to process, store, analyze, and disseminate data. ii

Management

The new infrastructure must ensure that data from disparate sources are collected managed and used in a manner that is informed by end users. There are many technical challenges: disparate data sets must be ingested, their provenance determined, and metadata documented. Researchers must be able to query data sets to know what data are available and how they can be used. And if data sets are to be joined, they must be joined in a scientific manner, which means that workflows need to be traced and managed in such a way that the research can be replicated.

Coordination

The role of State and City agencies is to address immediate policy issues, rather than to build long-term data infrastructures as their mandate is to work with city data than the full spectrum of available data.

5.7. Data-Pop Alliance

Data-Pop Alliance is a global coalition on Big Data and development created by the Harvard Humanitarian Initiative, MIT Media Lab, and Overseas Development Institute that brings together researchers, experts, practitioners, and activists to promote a people-centred big data revolution through collaborative research, capacity building, and community engagement [55]. It makes the following suggestions.

Collection

The idea of shared responsibility between the public and private sector is a proposed operational principles to create a deliberative space. Mechanisms and legal frameworks must be devised for private companies to share their big data under formalized and stable arrangements instead of being compelled by ad hoc requests from researchers and policymakers.

The media too, could avoid publishing statistical data collected by unexplained methodologies by employing "statistical editors" and disseminate verified information.

Role of NSOs

For official statistics, engaging with Big Data is not a technical consideration but a political obligation. In a two tier system of official and non-official statistics, the public and investors tend to distrust official figures. For instance, the results of the 2010 census in the UK are being disputed on the basis of sewage data.

It is imperative for NSOs to retain, or regain, their primary role as the legitimate custodian of knowledge and creator of a deliberative public space to democratically drive human development [56].

6. Conclusion

The Big data frameworks provide some useful insights on monitoring mechanisms though some questions remain unanswered in each model. Key actors that have been proposed include city and state agencies like NSOs, private companies, social scientists, private individuals and international research agencies. Data analysis can be through public-private collaborations, data philanthropy, and using indicators by thematic communities.

Collection

There appears consensus across models that collection must be effected through public private partnerships while providing incentives.

Analysis

While several methods of analysis have been proposed by the Global Partnership it is unclear on who will be conducting the analysis. The UNSDSN has suggested that it be conducted by academics and scientists with Julia Lane stating it must be through public private partnerships which appear more feasible and transparent.

Role of NSOs

All frameworks agree on the pivotal role of NSOs and acknowledge them as the key players and coordinators at the national level. They must be strengthened financially, technologically and politically. Most frameworks seek to empower national agencies which will coordinate collaborations with the private sector through incentives while protecting personal data.

Coordination

Several international fora have been proposed to enable coordination while there is consensus that the NSOs. A Global Partnership for Sustainable Development Data, a Global Consensus on Data and a World Forum on Sustainable Development Data have been suggested. UN organizations appear to be suggesting more responsibility for those in the UN framework with UNSDSN giving an extensive list of lead agencies (UNDP, UN Women, Who etc) while the WEF emphasises on the private sector, Data Pop Alliance on NSOs, and Prof. Lane on State and City agencies.

On an international level countries can opt to join international organization that are being setup for the purpose. It remains to be seen whether all countries globally can achieve such a feat in a coordinated manner without infringing on data rights when unanswerable to any set international organization. The burden appears to fall on civil society and market forces within the private sector to regulate this process. For instance when a private sector company starts providing large un-anonymized data sets for government use, the privacy concerns of civil society that result in them opting for the company’s competitor’s more privacy friendly products will result in a regulation through market forces. However these forces may have disparate strengths in different contexts and countries depending on market practices and information asymmetry resulting in the lack of a uniform accountability mechanism.

7. Endnotes

[1] Dan Ariely, Facebook, January 06, 2013, https://www.facebook.com/dan.ariely/posts/904383595868.

[2] United Nations Organizations, 'Sustainable Development Goals' (United Nations Sustainable Development, 26 September 2015), http://www.un.org/sustainabledevelopment/sustainable-development-goals/, accessed 6 June 2016.

[3] Data Revolution Group, 'A World that Counts: Mobilising the Data Revolution for Sustainable Development' (November 2014), http://www.undatarevolution.org/wp-content/uploads/2014/12/A-World-That-Counts2.pdf, accessed 8 June 2016.

[4] High level panel on the post-2015 development agenda , 'A New Global Partnership: Eradicate Poverty and Transform Economies through Sustainable Development'(Post2015hlp,0rg, July 2012), http://www.post2015hlp.org/, accessed 8 June 2016.

[5] Gary King, 'Ensuring the Data-Rich Future of the Social Sciences' [2011] 3(2) Science, http://gking.harvard.edu/files/datarich.pdf, accessed 8 June 2016.

[6] See [3].

[7] Ibid.

[8] Michael Horrigan, 'Big Data: A Perspective from the BLS' (Amstatorg, 1 January 2013) http://magazine.amstat.org/blog/2013/01/01/sci-policy-jan2013/, accessed 4 June 2016.

[9] UN Global Pulse, 'Big Data for Development: Challenges & Opportunities' (6 May 2012) http://www.unglobalpulse.org/sites/default/files/BigDataforDevelopment-UNGlobalPulseJune2012.pdf, accessed 5 June 2016.

[10] Emmanuel Letouzé and Johannes Jütting, 'Official Statistics, Big Data and Human Development: Towards a New Conceptual and Operational Approach' (2014) 12(3), Data-Pop Alliance White papers Series, https://www.odi.org/sites/odi.org.uk/files/odi-assets/events-documents/5161.pdf, accessed 4 June 2016.

[11] See [9].

[12] See [10].

[13] See [9].

[14] UN Global Pulse, 'About: United Nations Global Pulse' (2016) http://www.unglobalpulse.org/about-new, accessed 7 June 2016.

[15] UN Stats, 'Global Working Group' (2014) http://unstats.un.org/unsd/bigdata/, accessed 8 June 2016.

[16] New York City Press Release, ‘Mayor Bloomberg, Police Commissioner Kelly and Microsoft Unveil New, State-of-the-Art Law Enforcement Technology that Aggregates and Analyzes Existing Public Safety Data in Real Time to Provide a Comprehensive View of Potential Threats and Criminal Activity’ (New York City, 8 August 2012), http://www1.nyc.gov/office-of-the-mayor/news/291-12/mayor-bloomberg-police-commissioner-kelly-microsoft-new-state-of-the-art-law, accessed 2 July 2016.

[17] Francesco Mancini, 'New Technology and the Prevention of Violence and Conflict' (Reliefwebint, April 2013), http://reliefweb.int/sites/reliefweb.int/files/resources/ipi-e-pub-nw-technology-conflict-prevention-advance.pdf, accessed 2 July 2016.

[18] Arjuna Costa, Anamitra Deb, and Michael Kubzansky, 'Big Data, Small Credit: The Digital Revolution and Its Impact on Emerging Market Consumers,' (Omidyar, 3 March 2013) https://www.omidyar.com/sites/default/files/file_archive/insights/Big%20Data,%20Small%20Credit%20Report%202015/BDSC_Digital%20Final_RV.pdf, accessed 2 July 2016.

[19] United Nations Economic and Social Council, 'Report of the Global Working Group on Big Data for Official Statistics' (UN Stats, 3 March 2015), http://unstats.un.org/unsd/statcom/doc15/2015-4-BigData-E.pdf, accessed 8 June 2016.

[20] Ibid.

[21] Ibid.

[22] See [3].

[23] OECD, 'OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' (23 September 1980), http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm, accessed 29 May 2016.

[24] Amir Efrati, ''Like' Button Follows Web Users' (WSJ, 18 May 2011) http://www.wsj.com/articles/SB10001424052748704281504576329441432995616, accessed 23 May 2016.

[25] See [15].

[26] Robert Kirkpatrick, 'Data Philanthropy: Public and Private Sector Data Sharing for Global Resilience' (UN Global Pulse, 16 September 2011), http://www.unglobalpulse.org/blog/data-philanthropy-public-private-sector-data-sharing-global-resilience, accessed 4 June 2016.

[27] Ibid.

[28] Arvind Narayanan, 'No silver bullet: De-identification still doesn't work' (1 April 2016), http://randomwalker.info/publications/no-silver-bullet-de-identification.pdf, accessed 3 July 2016.

[29] OECD Global Science Forum, 'New Data for Understanding the Human Condition: International Perspectives,' (February 2013) http://www.oecd.org/sti/sci-tech/new-data-for-understanding-the-human-condition.pdf, accessed 2 June 2016.

[30] S. Barocas, 'The Limits of Anonymity and Consent in the Big Data Age,' in Privacy, Big Data, and the public good: Frameworks for Engagement (Cambridge University Press, 2014).

[31] A. Pentland, 'Institutional Controls: The New Deal on Data,'  in Privacy, Big Data, and the public good: Frameworks for Engagement (Cambridge University Press, 2014).

[32] See [3].

[33] UN Sustainable Development Solutions Network, 'About Us: Vision and Organization' (2012) http://unsdsn.org/about-us/vision-and-organization/, accessed 2 June 2016.

[34] UN Sustainable Development Solutions Network, 'Indicators and a Monitoring Framework for the Sustainable Development Goals: Launching a data revolution for the SDGs' (12 June 2015) http://unsdsn.org/wp-content/uploads/2015/05/150612-FINAL-SDSN-Indicator-Report1.pdf, accessed 4 June 2016.

[35] UNICEF, 'CME Info - Child Mortality Estimates' (2014) http://www.childmortality.org/, accessed 1 June 2016.

[36] See [10].

[37] UNESCO, 'Technical report by the Bureau of the United Nations Statistical Commission (UNSC) on the process of the development of an indicator framework for the goals and targets of the post-2015 development agenda' (6 March 2015) http://www.uis.unesco.org/ScienceTechnology/Documents/unsc-post-2015-draft-indicators.pdf, accessed 3 June 2016.

[38] UN, 'The Road to Dignity by 2030: Ending Poverty, Transforming All Lives and Protecting the Planet ' (4 December 2014) http://www.un.org/disabilities/documents/reports/SG_Synthesis_Report_Road_to_Dignity_by_2030.pdf, accessed 7 June 2016.

[39] Ibid.

[40] UN Sustainable Development Solutions Network, 'Data for Development: An Action Plan to Finance the Data Revolution for Sustainable Development' (10 July 2015) http://unsdsn.org/wp-content/uploads/2015/04/Data-For-Development-An-Action-Plan-July-2015.pdf, accessed 3 June 2016.

[41] See [34].

[42] UN Data Revolution Group, 'About the Independent Expert Advisory Group' (6 November 2014) http://www.undatarevolution.org/about-ieag/, accessed 4 June 2016.

[43] See [3].

[44] The Partnership has already been established, and it is developing a further framework.

[45] Organisation for Economic Co-Operation and Development), 'The Organisation for Economic Co-operation and Development (OECD): About' (2016) http://www.oecd.org/about/, accessed 2 June 2016.

[46] Organisation for Economic Co-Operation and Development, 'Strengthening National Statistical Systems to Monitor Global Goals' (2015) http://www.oecd.org/dac/POST-2015%20P21.pdf, accessed 1 June 2016.

[47] Ibid.

[48] OECD Global Science Forum, 'New Data for Understanding the Human Condition: International Perspectives' (February 2013) http://www.oecd.org/sti/sci-tech/new-data-for-understanding-the-human-condition.pdf, accessed 2 June 2016.

[49] The Global Partnership On Sustainable Development Data, 'Who We Are: The Data Ecosystem and the Global Partnership' (2016) http://www.data4sdgs.org/who-we-are/, accessed 5 June 2016.

[50] World Economic Forum, 'Big Data, Big Impact: New Possibilities for International Development' (22 January 2012) http://www3.weforum.org/docs/WEF_TC_MFS_BigDataBigImpact_Briefing_2012.pdf, accessed 8 June 2016.

[51] World Economic Forum, 'Our Mission: The World Economic Forum' (12 January 2016) https://www.weforum.org/about/world-economic-forum/, accessed 7 June 2016.

[52] See [50].

[53] Julia Lane, Homepage, http://www.julialane.org/.

[54] Julia Lane, 'Big Data for Public Policy: The Quadruple Helix' (2016) 8(1) Journal of Policy Analysis and Management, DOI:10.1002/pam.21921, accessed 1 June 2016.

[55] Data-Pop Alliance, 'Data-Pop Alliance: Our Mission' (May 2014) http://datapopalliance.org/, accessed 1 June 2016.

[56] See [10].

8. Author Profile

Meera Manoj is a law student at the Gujarat National Law University, Gandhinagar and has completed her first year. She is passionate about civil rights, feminism, economics in law and anything involving paneer. She aspires to travel the world and build up a vast library, with unparalleled sections on International Law and Archie comics.

With internet transactions, especially when they do not involve a centralized or governmental agency, traditional physical borders between nation states become increasingly irrelevant. This is equally true for both legal as well as illegal transactions. It is perhaps due to this that there has been an increase in the number of transnational crimes, especially cyber crimes, in the recent past.

It has been widely accepted that cooperation and sharing of information on a regular and sustained basis between nation states is a very important tool in tackling incidents of international cyber crime. For example, the Report of the Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security established by the Secretary General of the United Nations, explicitly prescribes the following norms:

• (a) ….. States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
• (d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
• (h) States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
• (j) States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;

In a similar vein, on June 7th 2016, the Prime Minister’s Office released a fact sheet on the framework for the US-India Cyber Relationship. The fact sheet, which should result in a signed Framework in 60 days time from the signing, articulated a number of principles to frame and guide the U.S-India cyber relationship. The following principles of the framework focus on cross border sharing of information:

• A commitment to promote cooperation between and among the private sector and government authorities on cybercrime and cybersecurity
• A recognition of the importance of bilateral and international cooperation for combating cyber threats and promoting cybersecurity;
• A commitment to promote closer cooperation among law enforcement agencies to combat cybercrime between the two countries;
• Sharing information on a real time or near real time basis, when practical and consistent with existing bilateral arrangements, about cybersecurity threats, attacks and activities, and establishing appropriate mechanisms to improve such information sharing;
• Developing joint mechanisms for practical cooperation to mitigate cyber threats to the security of ICT infrastructure and information contained         therein consistent with their respective obligations under domestic and international law;

Processes for Crossborder Sharing

The process by which the Indian government could access data stored with a U.S company depends most importantly on if the data is meta data (location data or subscriber information) or content data (content of emails). If the data is meta data, the Indian government could approach the company directly for access, at which point it is at the company’s discretion to share the data. For example, with respect to requests for user data Google states:

“Respect for the privacy and security of data you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google's policies. Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we'll seek to narrow it.”

Due to provisions in the Electronic Communications Privacy Act, if the data is content, than the Indian government must use an international instrument, such as an MLAT request or a Letter of Rogatory, to access the information. In the case of a MLAT or Letter of Rogatory, the U.S government recieves a court order and issues a search warrant to the company for the data and shares it back with India. For the Indian request to be approved it must at a minimum 1. meet the terms of the relevant treaty 2. comply with US law including fourth and fifth amendemnt rights and probable cause when applicable.

Legal Provisions to operationalise requests in criminal matters in India

In terms of Indian law, section 105 of the Criminal Procedure Code (Cr.P.C.) speaks of reciprocal arrangements to be made by Central Government with the Foreign Governments with regard to the service of summons/warrants/judicial processes. In case of countries with which India has an operational MLAT, the process envisaged in the MLAT coupled with the provisions of section 105 Cr.P.C. are to be followed, while in case of other countries the ministry makes a request on the basis of assurance of reciprocity to the concerned foreign government through the mission / Embassy. The difference between the two categories of the countries is that the country having an MLAT has an obligation to consider serving the documents whereas the non-MLAT countries do not have any obligation to consider such a request. The summons issued by the Foreign Courts/Authorities and received in the Ministry of Home Affairs are served by the State Police through CBI-Interpol.

Although the process for service of summons/warrants/judicial processes has been dealt with in section 105 of the Cr.P.C. some MLATs such as the one with the United Kingdom may provide for even greater assistance such as attachment and forfeiture of property as well as warrants for arrest. Since the Cr.P.C. as originally drafted did not have provisions for such therefore Chapter VIIA was inserted into the Cr.P.C. The statement of Objects and Reasons for the Amendment Act bringing the said chapter into the Cr.P.C. states:

“The Government of India has signed an agreement with the Government of United Kingdom of Great Britain and Northern Ireland for extending assistance in the investigation and prosecution of crime and the tracing, restraint and confiscation of the proceeds of crime (including crimes involving currency -transfer) and terrorist funds, with a view to check the terrorist activities in India and the United Kingdom. For giving full effect to this agreement, it is proposed to amend the Code of Criminal Procedure, 1973 to provide for-

(a) the transfer of persons between the contracting States including persons in custody for the purpose of assisting in investigation or giving evidence in proceedings;

(b) attachment and forfeiture of properties obtained or derived from the commission of an offence that may have been or has been committed in the other country; and

(c) enforcement of attachment and forfeiture orders issued by a Court in the other country.”

Conflict between Treaty provisions and Indian Law

One question which sometimes arises for discussion is what happens when a request is made by a foreign state under an MLAT for information which is not legally enforceable even by Indian authorities. Usually the treaties themselves are very clear on this point and have a provision which precludes a state from acting upon a request if the same is not enforceable under its domestic law. Even so, in the hypothetical scenario that such a provision does not exist in a treaty, the law in India is pretty clear, that in case of a conflict between the provisions of the treaty and Indian law, the provisions of Indian law shall prevail. This was held by the Supreme Court in the case of Bhavesh Jayanti Lakhani v. State of Maharashtra and others, wherein the Court said:

“The Act as also the treaties entered into by and between India and foreign countries are admittedly subject to our municipal law. Enforcement of a treaty is in the hands of the Executive. But such enforcement must conform to the domestic law of the country. Whenever, it is well known, a conflict arises between a treaty and the domestic law or a municipal law, the latter shall prevail.”

MLATs in India

India currently has MLATs with 39 countries.The nodal Ministry for concluding Mutual Legal Assistance Treaties in Criminal Matters is Ministry of Home Affairs, which is responsible for facilitating measures of mutual assistance in investigation, prosecution and prevention of crime, service of summons and other judicial documents, execution of warrants and other judicial commissions and tracing, restraint, forfeiture or confiscation of proceeds and instruments of crime.

It must be noted here that unlike countries like the United States, Indian law does not require parliamentary approval for treaties to become operation and therefore MLATs enter into force in accordance with the requirements stipulated in their provisions.^[1] This means that some MLATs may enter into force as soon as they are signed if the terms of those MLATs provide as such, while others may require ratification. Ratification is usually done through an Instrument of Ratification which is signed by the President of India and ratification is considered complete only after the Instruments of Ratification are exchanged between the signatory states.

As an additional note, MLAT's between countries are not the same. For example, the US/EU MLAT is  different from the US/India MLAT. Significant differences in scope include:

• Types of offenses: US/EU MLAT requires assistance for offenses that are recognized in both the EU and US, serious offenses punishable under the laws of both states, or offenses pununishable with 4-2 years in prison. In contrasts the US/India MLAT requires assitance without regard to if the investigation would constitute an offence under the laws of the requested state.

• Forms of cooperation:Forms of cooperation found in the US/EU MLAT but not the US/India MLAT include joint investigiative teams, expediated means of communication, specific provision for identifaction of banking information.

• Use of obtained evidence: The US/EU MLAT places clear limitations on the use of personal and other data where as the US/India MLAT maintains that the requested state can place a limitation on use and confidentiality if they wish to.
• Review and application: The US/EU treaty applies to offenses committed before and after entering into the MLAT and requires review five years after it comes into force. The US/India treaty does not incorporate either of these aspects.

Letters Rogatory in India

The process of sending Letters Rogatory is enabled via 166A of the CrPc, which allows an investigating officer to issue a letter of request to a Court. The Court can issue such letter to the Central Government, who will then send it to the courts in the U.S. In 2007, the Ministry of Home Affairs issued comprehensive guidelines regarding letters of rogatory, extradition requests, and contact with foreign police – sighting issues in consistent and accurate use of such tools and processes. Examples of Letters of Rogatory issued by India to the US, include on theChase Manhattan Bank,David Headley,Louis Berger, and in theSheena Bora murder case.

Challenges in Cross Border Sharing of Information

Cyber crimes have the unique feature of making geographical boundaries irrelevant, thus creating challenges of jurisdiction and applicable legal standards. For example, a person sitting in the US may commit a crime against a victim in India without leaving the U.S - raising questions of which law would apply to the individual. Or a person sitting in India may commit a crime against a victim in India, but the evidence would be stored with a U.S company located outside of India - raising questions again over which law would apply to the data. As pointed out by the Centre for Law and Democracy, the question of jurisdiction can be based on a number of vantage points including location of the data, citizenship of the individual, location of the individual, place of the crime, or incorporation of the company holding the data.

The challenge of jurisdiction is further exacberated by the capabilities of technologies today. For example, if the data of the Indian citizen contains information about a U.S citizen, the information about the Indian would receive different levels of legal protections than that of the U.S citizen while stored in the U.S. Indian courts can also try to claim jurisdiction over Indian data/persons being subject to U.S law. For example, in 2012  Indian courts attempted to issue summons on U.S ICT companies. Also in 2012, the court of a District Judge in Vishakhapatnam, the Court issued an order restraining Google Inc. from complying with a subpoena issued by the Superior Court of California that ordered Google to share the password of the Gmail account belonging to an Indian citizen residing in Vishakhapatnam. Although this was only an interim order and was given by a District Court, and thus did not have  any precedent value, the case demonstrates the need to have in place systems and mechanisms to ensure that law enforcement and judicial authorities do not trip over each other while dealing with cross jurisdictional issues in the realm of cyber crimes and cyber disputes.

Challenges in cross border sharing of information do rest only with the question of jurisdiction. All bi-lateral and multi-lateral processes for cross border sharing of information and cooperation have their own complexities. Such complexities could include bureaucracy, mistakes in issuing and/or processing requests, lack of competency, and differing legal requirements. For example, experts have noted that many requests for access to communications from foreign governments are rejected as they fail to meet the requirement that a U.S court find probable cause for issuing an order to a company for disclosure of communications.  In the case of MLATs and Letters of Rogatory, these complexities have resulted in slow processing times for requests, rejection of requests due to errors in submission, or rejection of requests for legal reasons. For example, according to the President’s Review Group on Intelligence and Communications Technologies, it takes approximately 10 months for the US to process and respond to an MLAT request from a foreign government. In the age of the internet, where situations require real time access to data, such delays are frustrating and can severely hamper an investigation.

Solutions to the Challenges

Law enforcement agencies, governments, academia, and civil society across the world over have realized the complexity of this situation, and have been trying to find effective solutions.

A recent proposal is the one that is being negotiated between theUS and the UK. Which, simply put, would allow the UK government and intelligence agencies to access content data directly from ICT companies in the US when the content and the crime do not pertain to a US citizen. There is talk that this agreement would be extended to other countries on the condition that they meet certain standards and requirements. At the same time the U.S has recently reached thePrivacy Shield Agreement with the EU. The agreement establishes more stringent standards and protocols for sharing data between the US and EU and includes requirements for transparency of U.S government access to EU citizen's data. In 2016 the U.S enacted theJudicial Redress Act . The Act authorizes the Department of Justice to approve countries whose citizens may bring civil action under the Privacy Act 1974 against specified US agencies. Countries will be assessed as per their privacy protections, if data can be freely passed between the US and the applying country, and the Department of Justice has certified data transfer policies that do not impede the national security interests of the U.S.

Parallel to these policy developments,  civil society and academics are also discussing alternative frameworks. Some of these include:

Daskal-Woods: Proposed by Jennifer Daskal, Assistance Professor of Law and American University Washington College of Law and Andrew Woods, Assistant Professor of law and the University of Kentucky, - the framework seeks to address repercussions arising from roadblocks in the cross border sharing of data including data localization requests, heavy handed encryption policies, and governmental demands for built in back doors. The framework could be extended to countries meeting a set of established criteria including basic human rights requirements. Importantly, the framework proposes replacing the requirement of probable cause with that of a strong factual basis that a crime has been or will be committed. This would likely be a welcomed change for the Indian Government as it could make it easier for requests for be approved, though for Indian citizens, it might be a less welcomed change as they would lose the privacy protection that the probabal cause standard affords them against requests from the Indian government and other foreign governments. India does not require probable cause to be demonstrated and access to the content of communications can be authorized by the Joint Secretary to the Ministry of Home Affairs on the grounds laid out in section 5 of the Telegraph Act and section 69 of the IT Act.

• Strawman: Proposed by the Centre for Democracy and Technology, suggests a framework that would treat MLAT requests in which the location of the crime, the citizenship and location of thevictim, the perpetrator, and data subject are in the same country - primarily to the requesting country’s domestic law. Such a framework would bring content and non-content under its scope. This framework would be extended to countries that meet baseline human rights standards.
• Peter Swire and Justin Hemmings: Swire and Hemmings have proposed a number of process reforms to help streamline the MLAT process including increasing the resources to the Office of International Affairs, streamlining the number of steps in the MLAT request process, and streamlining the provision of requested records back to the requesting country. They also proposed a system that would prioritize or streamline requests from ‘pre approved’ countries and explore joint criminal investigations between law enforcement officials from different countries as alternative means for obtaining access to information.

Conclusion

Due to the pervasive nature of the internet and technology in our everyday lives there is a greater danger of criminal activities being conducted from great distances and often from across international borders. One of the most important means to tackle this increase in cross border criminal activities is to increase international cooperation and information sharing through more efficient processes.  As negotiations take place between the U.S and the U.K and the U.S and the EU on finding alternatives to enhance cross border sharing of information, it is encouraging that the US-India cyber framework touches on cross border sharing of information and references the Expert Group, but India needs to participate in the larger global debate that is happening around cross border sharing of information and needs to focus on improving internall chain of custody for sending requests and strengthening privacy practices domestically.

Questions that India should be asking with respect to the developments in the US and EU include:

• By what criteria will non-EU countries be evaluated for participation in such partnerships? If India does not immediately meet the set criteria, is there the will to make the needed amendments to domestic policy and practice? What are the pro’s and con’s of India participating in such partnerships? This is an important question to ask and for India to reflect upon as it is not clear that current practices and policy would meet set human rights standards. For example, an issue could be the India has provisions for the death penalty for heinous crimes and terror attacks.
• Once evaluated will agreements and processes between the US and various countries be standard? i.e, will the EU - US agreement be the same as an India - US agreement? Will the process for engagement between the EU-US and Indian-US be the same? If not, what will determine differences?

As the Centre for Internet and Society continues to research into MLATs and cross border sharing of information, some questions we are seeking to answer include:

• For what differing purposes does India send Letters Rogatory and/or MLAT requests?
• What is the process followed for issuing and recieving Letters Rogatory/MLAT? CBI has issued comprehensive guidelines for issuing these requests, but are these followed? what are challenges in the implementation of these processes?
• How much money is spent on sending/processing Letters of Rogatory/MLATs?
• Is one instrument preferred over another i.e, Letters Rogatory vs. MLATs, and why?
• How many requests originating from India to the US have been rejected and why?
• What level of privacy protection is afforded to the data transferred? Who has access to such data?

^[1] The issue of parliamentary approval was raised in the case of the Indus Waters Treaty, 1960 on the ground that it involved a huge financial commitment and its ratification without parliamentary approval amounted to an encroachment upon the financial powers of the Parliament. Deciding on this point the   Speaker of the House said “Wherever the Government enters into a treaty-Parliament may or may not agree-primary right under the Constitution is with the Government to enter into a treaty..................We cannot now take away powers which have been vested in the Government under the Constitution….. In accordance with previous practice, it is not obligatory on the Government to place treaties before this House for ratification unless, as constituent parts of those treaties, the respective Governments have agreed to place them before Parliament and obtain their ratification.” Decisions from the Chair, Lok Sabha, available at http://www.parliamentofindia.nic.in/ls/decision/decp84.htm

1. Introduction

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

2.2. Digital 2 Dozen (D2D)

3. Major Criticisms of the Digital Agenda of TPP

3.1. Data Protection

3.2. Digital Privacy

4. Implications of TPP for RCEP

5. Implications of TPP in the Context of EU Safe Harbour Judgement

6. Implications of TPP for India after US-India Cyber Relationship Agreement

7. Conclusion

8. Endnotes

9. Author Profile

1. Introduction

This essay explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia [1]. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations. TPP requires the member countries to facilitate unhindered digital data flow across nations, for commercial and governmental purposes, which evidently have major implications for national and regional data protection and privacy regimes. These implications must also be seen in the context the recent judgement by the EU Court of Justice against the validity of the EU-USA data transfer agreement of 2000. Further, the essay discusses the potential impacts that TPP/D2D might have on India, in the context of the ongoing USA-India Cyber Relationship dialogue. If the privacy concerns are not raised right now TPP might act as a model framework for future FTAs which will fail to encompass proper data protection and digital privacy regime within it.

2. Analysis of TPP and D2D

2.1. Trans Pacific Partnership (TPP)

Trans Pacific Partnership (TPP) is a large multi-partner free trade agreement amongst twelve Asia-Pacific countries, which is closely led by geo-political and economic strategies of the USA. Countries started the negotiation of TPP in 2008 when USA joined Pacific Four (P-4) negotiations and in 2015 negotiations of TPP was concluded and text was released. Ministers from the member countries signed the agreement on February 4, 2016 [2]. The main aim of TPP is to liberalise trade and investment beyond what is provided for within the WTO. It is also considered to be a strategic move by the US to counter the trade linkages that are being established in the Asian region. TPP largely covers topics of market access, and rules on various related issues such as intellectual property rights, labour laws, and environment standards [3].

Between 1992 -2012 there has been an upsurge in bilateral trade agreements being signed in Asia from 25 to 103 and the effect of these FTAs is called the ‘noodle bowl effect’. TPP is seen as framework which will replace these FTAs which are causing the ‘noodle bowl effect’.While these FTAs are being replaced but with TPP being signed there are various bilateral arrangements signed along with TPP. USA has also stated that TPP will not affect the already existing NAFTA [4]. While TPP is being concluded there is another free trade agreement being negotiated between USA and EU , which is Trans Trade and Investment Partnership (TTIP). Both TPP and TTIP and are considered to be serving similar objective which is to deal with new and modern trade issues. Also both the agreements are US led and since negotiation for TPP are now finalised it may have a significant impact on TTIP [5].

TPP is one of the first document which deals specifically with digital economy and applies across borders. The main aims of TPP are to promote free flow of data across borders without data localisation. It aims to remove national clouts and regional internets. It also includes provisions to combat theft of trade secrets. It allows you to create transparent regulatory process with inputs from various stakeholders. It also aims to provide access to tools and procedures for conduct of e-commerce [6].

Some of the major criticism to TPP were regarding the issues related to [7]:

• environment, wherein it does not address the issue of climate change and the language used in the agreement is very weak;
• labour rights provision mandates parties to adhere to the ILO provision but it does not seem to provide for effective framework and might not bring the desired change;
• investment chapter is seen to be controversial because of the investor state dispute settlement clause which will allow foreign investor to sue government over policies that might cause harm to them;
• e-commerce and telecommunication chapter raises major privacy concerns;
• intellectual property chapter wherein it includes controversial rules regarding pharmaceutical companies and data exclusivity apart from the privacy concerns.

2.2 Digital 2 Dozen (D2D)

D2D is set of rules and aims which is specifically drafted to be followed for the trade agreements related to open internet and digital economy. More specific aims of TPP as provided within the ‘Digital 2 Dozen,’ aiming for more liberalised trade in digital goods and services, are [8]:

• promoting free and open internet,
• prohibiting digital custom duties,
• securing basic non-discrimination principles,
• enabling cross-border data flows,
• preventing localization barriers,
• barring forced technology transfers,
• advancing innovative authentication methods,
• delivering enforceable consumer protections,
• safeguarding network competition,
• fostering innovative encryption products, and
• building an adaptable framework.

Strategic goal of the US in introducing D2D as goals of TPP has been to set up a trend within Asian region for all the trade agreements. It is expected to ensure that if TPP is a success, similar goals and policy frameworks will be followed for other trade agreements as we. For example, the USA-India partnership also enshrines similar aims and so does the USA-Korea partnership. Hence while India is not part of TPP, USA is nonetheless trying to get India into a partnership which is similar to the TPP. The language proposed by the USA in TPP negotiations has always been supportive for cross border data flows as it claims that companies have mechanism to keep a privacy check and privacy would not be undermined, but countries like New Zealand and Australia which have strong privacy protection laws nationally have raised concerns which will be discussed in further sections [9]. Also not only in privacy rights but Digital Dozen initiative also affects other digital rights related to - excessive copyright terms TPP proposed to extend the term of copyright to hundred years which deprive access to knowledge; as in the U.S motive to give more power to private entities , the ISP obligations enumerated within TPP which puts freedom of expression and privacy at risk as ISPs are allowed to check for copyright infringement and TPP does not put any privacy restriction in this regard; introduction of new fair use rules; ban on circumvention of digital locks or DRMs; no compulsory limitation for persons with disabilities; lack of fair use for journalistic right; while net neutrality is major issue is many developing nations in Asia no effective provision for net neutrality is aimed at in the D2D initiative; prohibits open source mandates which puts barrier for countries which want to release any software as open source as a policy decision [10].

3. Major Issues Related to Data Protection and Privacy in the TPP

3.1. Data Protection

One of the major concern raised against TPP is regarding data protection provisions that have been integrated within the E- Commerce chapter of the agreement. Article 14.11 and Article 14 .13 are the ones that deal with data flow related to consumer information.Article 14.11 in the agreement puts a requirement on the member states to allow transfer of data across border and Article 14.13 does not allow the companies to host data on local servers. Concerns were raised in few member states for instance, Australian Privacy Foundation raised concerns over Article 14.11 which requires transfers to be allowed in context of business activities of service suppliers. It claimed that exception to this provision is very narrow and the repercussion for not following the exception is that investor state dispute settlement proceedings can be initiated, which is not sufficient to protect privacy. Also, it highlighted the issue that with the narrow exception provided under Article 14.13 which relates to prohibition on data localisation, it might have adverse effect on the implementation of national privacy laws within Australia [11].

Another provision which is of major concern is Article 14.13 which prohibit data localisation. It will raise problems for countries like Indonesia and China which will have to change their local laws to implement the provision [12]. Since there already has been a major concern with regard to USA- EU Safe Harbour Agreement which was later made subject to the ECJ’s ruling on data protection, which invalidated any arrangement which provides voluntary enterprises responsibility to enforce privacy. But both the USA and EU are in process of renegotiating the agreement.The major concern was that in EU data protection is a fundamental right while in USA data protection is more consumer centric. When similar concerns were raised in TPP negotiations, they were rebutted as USA claimed that FTA does not concern itself with data protection [13].

In 2012 Australia proposed an alternative language to TPP which allowed countries to place restriction on data flow as long as it was not a barrier to trade. U.S responded to concerns raised by the Australia through a side letter which ensured Australia that U.S and Australia have a mutual understanding in relation to privacy and U.S will ensure the privacy of data with regards to Australia. While Australia’s concern was given acknowledgement other countries which raised similar issues were not given any assurances [14]. US instead proposed ad- hoc strategy that gave private companies power to form privacy policy with implementation through state machinery [15].

3.2. Digital Privacy

Article 14.8 in the E- Commerce chapter of the agreement states that countries can form legal framework for the protection of rights but the kind of ‘legal framework’ is not defined. Also, nowhere it states that the privacy protection or data protection laws are expressly exempted, rather it states that any such policy implemented by member states will be put under review of TPP standards. The standards which TPP proposes to follow are based on the underlying idea that any such policy should not hinder free trade in any way. This test will be applied by tribunals which are experts in trade and investment and not on data protection or human rights [16]. While Article 14.8 provides for protection of private information of consumers but the footnote to the provision renders it ineffective. The footnote states that member countries can adopt legal framework for the protection of data which can be done by self-regulation by industry and does not provide for any comprehensive data protection obligation upon the member states [17]. Similar to this Article 13.4 of the telecommunications chapter under TPP also states that the countries can apply regulation regarding confidentiality of the messages as long as it is not “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services" [18].

Another chapter which raises major concerns about the privacy rights is intellectual property. It affects privacy through the provisions related to technological protective measures and the provision that regulate ISP’s liability. Regarding the TPM provision, the TPP follows the DMCA model whereby the exception to anti- circumvention provision is very narrow and does not apply to anti- trafficking provision. The exception allows user to circumvent TPM if it affect the user's privacy in any way, although this provision does not apply to ant- trafficking of TPM. The provision regarding ISP’s liability states that there should be cooperation between ISPs and rights holders and it does not prohibit ISPs to monitor its users. Also TPP proposes the notice for takedown and identification of the infringer by the ISP but this provision is not in consonance with laws of member states, like that of Peru which does not have any copyright law on ISP . Also many countries have tried to introduce proper privacy laws along with implementation of ISP liability but that is not done within the TPP [19]. TPP as whole aims to give greater power to private regulators without providing for minimum standard for protection of privacy.

Although TPP is not a data protection agreement but it consequently deals with various aspects of data protection, hence it is prospective model for privacy and data protection practices in future trade agreements. If positive obligations are included within the free trade agreements it will have an advancing impact on the data protection regime.

4.Implications of TPP for RCEP

While TPP has such lacunas similar provision are proposed in RCEP to which India is a party and which will have serious implication as many of the countries have inadequate data protection laws nationally and with the introduction of such an FTA the exploitation of privacy rights will be rampant [20]. To avoid this EU directive on data protection should be taken into consideration in the negotiations of such FTAs. But for the RCEP negotiations are still going on and in India many companies like Flipkart, Snapdeal etc. have started preparing for the changing norms. The government claims that it is going to accept best practices in the region which indicates that it is going to have same policies as that of TPP. Although people from industry have raised concerns that while there are national laws but it is difficult to check third party involvement within the business and it is becoming increasingly difficult to keep the consumer data confidential [21].

5. Implications of TPP in the Context of EU Safe-Harbour Judgement

Mr. Maximillian Schrems, an Austrian National residing in Austria, has been a user of the Facebook social network since 2008. Any person residing in EU who wishes to use Facebook is required to conclude, at the time of his registration, a contract with Facebook Ireland (a subsidiary of Facebook Inc. which itself is established in Unites States). Some or all of the personal data of the Facebook Ireland’s users who residing in EU is transferred to servers belonging to Facebook Inc. that are located in United States, where it undergoes processing. On 25 June 2013 Mr Schrems made a complaint to the commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to Unites States, and this led to the Maximillian Schrems v Data Protection Commissioner case [22]. He contended that in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in thereby by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the NSA.(para 26, 27, 28). The case came in the court ruled that “that a third country which ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of the EU 94/46 directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. The ruling implies that personal data cannot be transferred to third country which does not provide adequate level of protection.

EU safe harbour judgment and EU directive on privacy provide contrasting rules related to privacy. While TPP gives power to private entities to formulate rules regarding privacy while the recent ECJ judgment invalidated giving such power to private entities under EU-US Safe Harbour Agreement. Also in context of the same judgment Hamburg’s Commissioner for Data Privacy And Freedom of Information announced an investigation into the data transfer taking place through Facebook and Google to U.S. Hence in the light of the recent judgment member states within EU are not allowed to permit cross border data flow, in contrast to this one of the main goals of TPP is to maintain free flow of data across border [23]. EU is this regard has also set forth the proposal to introduce General Data Protection Regulation. (GDPR). Although U.S and EU are trying to renegotiate the agreement but the privacy concerns raised cannot be ignored. Hence following the same model as was invalidate under the ECJ judgment lets US exploit privacy of member states under TPP. Similar concerns as raised within the judgment are also raised in India as it also following the same model within U.S-India Cyber Relationship Agreement and in RCEP negotiations.

6. Implications of TPP in the context of USA-India Cyber Relationship

While India is not part of TPP but it might have an effect on the U.S India Cyber Relationship Agreement. In August 2015 there was re- initiation of the India-U.S cyber dialogue to address common concerns related to cybersecurity and to develop better partnerships between public and private sector for betterment of digital economy [24]. One of the key aim of this agreement is free flow of information between two nations, which suffers from similar problem that it will put privacy of the citizens at risk. Also India does not have any bilateral treaty which ensures cyber data protection in such a scenario the only solution is data localisation, but this agreement will put data at risk [25]. Hence while the TPP negotiations were going on and also RCEP is being discussed the concerns about privacy and data protection need to be raised as mention in earlier section regarding implications of TPP on RCEP, the USA-India Cyber Relationship also faces the same implications..Although the aim of USA-India Cyber Relationship is to ensure cybersecurity. After the cases of Muzaffarnagar riots, upheaval in North -Eastern states and Gujarat riots, India has realised it is important to ensure compliance from the social media companies. India sees the USA-India Cyber Relationship as an opportunity to achieve this goal. The Google Transparency Report states that that India made around three thousand requests to Google for user data [26], which indicate at the country's interest in having a common data understanding with the major social media companies (almost all of which are located in USA) about requesting and sharing of user activity data. While this concern is being addressed through the agreement, it is difficult to ignore the clause related to free flow of information, and if the meaning of the term is extended and adopted from TPP itself will put digital privacy of Indian citizens at risk [27].

7. Conclusion

Even though TPP negotiation are completed but the ratification of the agreement is still underway. TPP is being seen as one of a kind trade agreement because it is the first time that countries across the globe have come together as a whole to address concerns of modern trade. Although it fails to address some of the key concerns related to privacy and data protection which are becoming increasingly important. Data protection and privacy issues cannot be seen in isolation and needs to merged within the modern day trade agreements. The D2D component by the USA is strategic move to have trade dominance in Asia and to compete with China’s growth . TPP has privacy and data protection lacunae within the e- commerce , telecommunications and intellectual property discussion.Although it might have serious implications on RCEP negotiation and USA- India Cyber Relationship Dialogue. Similar concern regarding data protection has already been addressed by ECJ judgment invalidating USA-EU Safe Harbour Agreement but the similar ad - hoc strategy has been incorporated within TPP. Since TPP might be considered as best practice model for future FTAs in the Asian region it is important to raise and address these privacy concerns now.

8. Endnotes

[1] The signatory countries include Australia, Canada, Japan, Malaysia, Mexico, Peru, United States of America, Vietnam, Chile, Brunei, Singapore, New Zealand. "The Trans-Pacific Partnership," http://www.ustr.gov/tpp (last visited Jul 7, 2016).

[2] "The Origins and Evolution of the Trans-Pacific Partnership (TPP)," Global Research, http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495 (last visited Jul 7, 2016).

[3] Fergusson, Ian F., Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP): In Brief," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1477/ (last visited Jul 1, 2016).

[4] Gajdos, Lukas, The Trans-Pacific Partnership and its impact on EU trade, Policy Department, Directorate-General for External Policies, Policy Briefing (2013), http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf.

[5] Twining, Daniel, Hans Kundnani & Peter Sparding, Trans-Pacific Partnership: geopolitical implications for EU-US relations, Policy Department, Directorate-General for External Policies, June 24 (2016), http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf.

[6] USTR, "Remarks by Deputy U.S. Trade Representative Robert Holleyman to the New Democrat Network," https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade (last visited Jul 4, 2016).

[7] Murphy, Katharine, "Trans-Pacific Partnership: four key issues to watch out for," The Guardian, November 6, 2015, https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for (last visited Jul 7, 2016).

[8] USTR, "The Digital 2 Dozen" (2016), https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf (last visited Jul 1, 2016).

[9] Fergusson, Ian F.m Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP) negotiations and issues for congress," (2015), http://digitalcommons.ilr.cornell.edu/key_workplace/1412/ (last visited Jul 8, 2016).

[10] "How the TPP Will Affect You and Your Digital Rights," Electronic Frontier Foundation (2015), https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights (last visited Jul 7, 2016).

[11] Australian Privacy Foundation (APF), Trans Pacific Partnership Agreement (2016), https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf.

[12] Greenleaf, Graham, "The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?," SSRN (2016), http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386 (last visited Jul 1, 2016).

[13] "GED-Project: Transatlantic Data Flows and Data Protection," GED Blog (2015), https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/ (last visited Jul 1, 2016).

[14] Geist, Michael, "The Trouble with the TPP, Day 14: No U.S. Assurances for Canada on Privacy," (2016), http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/ (last visited Jul 4, 2016).

[15] Aaronson, Susan Ariel, "What does TPP mean for the Open Internet?" From Policy Brief on Trade Agreements and Internet Governance Prepared for the Global Commission on Internet Governance (2015), https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf (last visited Jul 5, 2016).

[16] Lomas, Natasha, "TPP Trade Agreement Slammed For Eroding Online Rights," TechCrunch, http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/ (last visited Jun 30, 2016).

[17] "Q&A: The Trans-Pacific Partnership," Human Rights Watch (2016), https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership (last visited Jul 1, 2016).

[18] "TPP Full Text Released," People Over Politics (2015), http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/ (last visited Jul 7, 2016).

[19] "Right to Privacy in Trans-Pacific Partnership (TPP ) Negotiations," Knowledge Ecology International, http://keionline.org/node/1164 (last visited Jul 1, 2016).

[20] Asian Trade Centre, "E-Commerce and Digital Trade Proposals for RCEP (2016)," http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf (last visited Jul 1, 2016).

[21] "E-commerce companies like Flipkart, Snapdeal to beef up data security to meet RCEP norms," The Economic Times, http://economictimes.indiatimes.com//articleshow/49068419.cms (last visited Jul 1, 2016).

[22] ECLI:EU:C:2015:650 (C -362/14)

[23] King et al., "Privacy law, cross-border data flows, and the Trans Pacific Partnership Agreement: what counsel need to know," Lexology, http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209 (last visited Jul 4, 2016).

[24] "U.S.-India Business Council Applauds Resumption of Cybersecurity Dialogue," U.S.-India Business Council (2015), http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue (last visited Jul 5, 2016).

[25] Sukumar, Arun Mohan, "India Is Coming up Against the Limits of Its Strategic Partnership With the United States," The Wire (2016), http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/ (last visited Jul 4, 2016).

[26] Countries – Google Transparency Report, https://www.google.com/transparencyreport/userdatarequests/countries/ (last visited Jul 8, 2016).

[27] Sukumar, Arun Mohan, "A case for the Net’s Ctrl+Alt+Del," The Hindu, September 5, 2015, http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece (last visited Jul 5, 2016).

9. Author Profile

Shubhangi Heda is a Student of Jindal Global Law School, O.P Jindal Global University. She has completed her fourth year. She gives due importance to popular culture in her life and loves to read fiction and like to watch TV-shows, her favorite being 'White Collar'.

The article by Pranesh Prakash and Japreet Grewal was published in Factordaily on July 13, 2016.

Several media outlets, including The Verge, India Today, and BuzzFeed, reported that the resolution was ‘opposed’ by China, Russia, Saudi Arabia, South Africa and India. The Verge, for instance, reported that these countries “specifically opposed” a clause of the resolution that “condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online and calls for all countries to refrain from such measures”.  This is pure bunkum.  Some media organisations have also been reporting that the UNHRC resolution “declares that access to the Internet is a human right”. This too is fiction.

What’s the truth?  The UNHRC resolution covers wide ground, including the reaffirmations of two previous resolutions, which stated that the same rights that people have offline must also be protected online as well.  As ARTICLE19, an international free speech NGO, notes: “The draft resolution goes further than its predecessors, including by stressing the importance of an accessible and open Internet to the achievement of the Sustainable Development Goals, as well as in calling for accountability for extrajudicial killings, arbitrary detentions and other violations against people for expressing themselves online.”  Importantly, the resolution “unequivocally condemns” internet shutdowns, such as the one that happened in Kashmir just last week after security forces killed guerrilla Burhan Wani.

This resolution was, in fact, adopted without any opposition. So why the brouhaha over countries like India?

Here are the facts

There were four separate amendments, two of which were proposed by Belarus, China and Russia (referred as L85, L86 in this article) and the other two were proposed by Belarus, China, Russia and Iran (referred as L87 and L88).  None of these amendments comment on the paragraph in the resolution that condemns intentional disruption of access or dissemination of internet services. So the headlines in most of the reports are just plain wrong. Let’s examine each of these four amendments one by one

In L85, an amendment was suggested to a paragraph that refers to past resolutions by the UNHRC and the UN General Assembly relating to freedom of expression and the right to privacy online. The amendment, which proposed including a reference to a previous UNHRC resolution on the rights of children online, was later withdrawn.

In L86 the proposed amendments both added and removed some text, and was hotly opposed by organisations like ARTICLE19. The proposed amendment said that the same rights people have offline must also be protected online, in particular, freedom of expression and the right to privacy, in accordance with articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR), a multilateral treaty adopted by the United National General Assembly to respect civil and political rights of individuals. Major additions: Some text on right to privacy and a reference to Article 17 of the ICCPR, which is about privacy. Major deletions: a reference to the Universal Declaration on Human Rights, and language stating that that freedom of expression is “applicable regardless of frontiers and through any media of one’s choice”, which is present in article 19 of the ICCPR.  However, article 19 of the ICCPR is incorporated by reference even in the proposed amendment!  So is there a real loss in purely legal terms?  Not really.

The amendments in L87 sought to replace the term “human rights based approach” that stressed on the need to provide and expand access to the internet, and to replace it with the term “comprehensive and integrated approach.” The problem is that there is no clarity about what a “human rights based approach” to providing and expanding access to the internet is. What does it even mean? Is there a “human rights based approach” to spectrum auctions and spectrum sharing? Or the laying of fibre optic cables? Or anything else associated with internet access?  If there is, indeed, a human rights based approach to providing and expanding access to the internet, it should be spelt out, rather than simply calling it that. Similarly, the term “comprehensive and integrated approach” is equally vague.

Finally, in L88, the amendments proposed that the UN resolution should acknowledge concerns about using the internet and information technology for spreading ideas about “racial superiority or hatred, incitement to racial discrimination, xenophobia and related intolerance.” In the light of this, it is difficult to understand how adding concerns relating to hate speech to the resolution is seen as “being opposed” to online freedoms, especially when there is no direct action contemplated in the proposed amendment.

Indeed, in Paragraph 9, gender violence is mentioned, and in Paragraph 11, incitement to hatred is mentioned.  Adding an additional, more specific reference can hardly be construed as being opposed to online freedoms. After all, states have a positive obligation to enact laws to prohibit hate speech under Article 20 (2) of the ICCPR, which is a centrepiece of international human rights law.

Even if one harbours reservations about these amendments, none of these amendments could be reasonably be characterised as “opposing” the condemnation of Internet shutdowns or “opposing” online freedoms. And factually, no states (including India, China, South Africa, Russia, and more) voted against the resolution.

A game of Chinese whispers

So why did so many prominent news organisations around the world get it so wrong? My theory is that it happened because organisation like ARTICLE19 put out press releases on what they perceived as the ‘weakening’ of the resolutions by the amendments examined above, and their regret that even democratic states like India and South Africa voted for these amendments.  This was wrongly portrayed in much of the media as opposition by these countries to the resolution itself, to online freedoms, and particularly as opposition to the idea of condemning internet shutdowns.  Thanks to the Chinese whispers nature of news reporting, this mistaken idea spread far and wide without any of the reporters bothering to check the original UN documents.

However, regardless of the faulty reportage, there is a real crisis in India, with organisations like Medianama and  the Software Freedom Law Centre having counted at least nine internet shutdowns this year alone, and at least 30 since 2013. It is shameful if India condemns internet shutdowns at the UNHRC while deploying them for purposes such as preventing cheating during an examinations, during Ganesha visarjan, during Eid, during wrestling matches, and during protests.

We at the Centre for Internet and Society have previously explained why a Gujarat High Court order allowing for an internet shutdown during riots was wrong in law, and violated our Constitution as well as our international human rights obligations.  That is something the India media ought to be focussing far more on, but aren’t.

Lastly, it would also be welcome for the individual civil society organisations that signed an open letter to UNHRC members to explain why they too believed that these amendments would have significantly harmed our freedoms online.  We see it instead as a case of ‘human rights politics’ being played out, when none of the proposed amendments would have had much of a negative legal impact, but only a political impact.

Should civil society organisations really get worked up about these?

Edited by: Pranav Dixit

The article was published in Indian Express on July 3, 2016.

The world of social media can be a minefield of misinformation, and it does get difficult to verify facts and ensure the veracity of the information that comes to us on the winged notifications of our apps. This becomes starkly clear in times of crises. Hence, when the historic and heinous shootout at a gay night club in Orlando, USA, shook the world with horror and grief a couple of weeks ago, when the first tweets appeared on my timeline, my initial reaction was denial. Instead of believing those first responders, I was already searching for more credible news lines that could confirm — or hopefully deny — the massacre. It took only a few minutes, though, to realise that #StandWithOrlando was a reality that we will have to accommodate in the story of continued violence and abuse of sexual minorities around the world.

However, not all deception is bad. One of the most fantastic responses to the shoot-out was from a Quebec-based satirical website called JournalDemourreal.com that published a photoshopped image showing the Canadian PM Justin Trudeau kissing the leader of the Canadian opposition party Tom Mulcair, with a headline that the two, despite their differences, are “united against homophobia”. I know that I liked this fake story four times on different newsfeeds, half-believing, half-wishing that it was true, before I realised that it is a hoax. Morphed as it might be, the doctored image enabled people to talk about the tragedy as demanding a personal and a policy-level action, ranging from acceptance and freedom, to control of guns and protecting the rights of life and dignity for the sexual minorities who continue to remain persecuted in the world.

The image also allowed many queer people in different parts of the world — especially in the countries where homosexuality continues to be criminalised and severely punished — to participate not only in the global grief but also to demand that their governments take more responsibility towards its queer population.

While this photoshopped picture was making the rounds, another tweet showed up on my timeline. This time it was a tweet from our media-savvy PM, Narendra Modi, who claimed that he was “shocked at the shootout in Orlando.”And further added that his “thoughts and prayers are with the bereaved families and the injured”. When I saw this tweet, my reaction again, was that this must be another joke. Because even as queer rights activists in the country struggle to fight for the decriminalisation of homosexuality, through their curative petitions in the Supreme Court in India, PM Modi’s government has continued its hateful diatribe against queer people in the country. His party has called homosexuality “anti-Indian” and “anti-family”. The party’s favourite, Baba Ramdev, continues his hate speech, offering to cure homosexuality through yoga.

Ever since the current government took power, documented hate crimes against queer people have more than doubled in the country. So when the PM decided to offer his condolences to those in Orlando, I figured that either it was a fake Twitter account masquerading as the PM or it was some kind of a hacker troll — maybe Anonymous, the online guerrilla activists, who recently took over ISIS- friendly websites and filled them up with information about male homosexuality as a response to the shoot-out — had taken control of the Twitter account. But it turned out that this piece of information was not photoshopped or hacked. It was actually true, and we were to believe in earnest that while the government doesn’t care about the millions of queer people being denied their rights to live and love in their country, it is heartbroken about what happened in the USA.

It does make you wonder about the world we live in, where a photoshopped image sounded more plausible than an undoctored tweet. It emphasises why Orlando cannot be treated as one isolated instance in another country, but that #WeAreOrlando. For right now, Orlando is also in India. It is a reminder that while we have been fortunate not to have such an instance of dramatic violence, there are millions of people in the country who are forced to live and die in deception for their sexual orientation.

The article was published in the Indian Express on July 17, 2016

I was busy, writing, when a Telegram message trickled in. It was a friend who asked me if I had looked at the new Pokémon Go game which has been getting more attention than national elections and global warfare in the USA lately. A location-based augmented reality game that involves the users moving around their physical environments “collecting” pokemon characters that appear hiding in different locations has a large part of the American population in a frenzy, leading to aching soles, traffic accidents, and involuntary bumping into things and people as the players move around, their eyes glued to their screens. The global release of the game is still in the pipeline, and so the rest of us will have to make do with the videos and screen grabs of the game.

While a big Pikachu fan myself, I don’t see myself going crazy over this game as and when my geography allows me for it, but the friend who had written to me about it is perturbed. An avid gamer and a self-proclaimed Pokémon fan, he is devastated that the users in privileged geography are going to get a head start in the global leader boards that he can never catch up with. The interwebz is already abuzz with players sharing hacks, cracks, bugs, cheat codes, and tips to collect more Pokémon, discover hidden powers, and rise quickly in the ranks as they drive, walk, run and jog around their neighbourhoods, in the quest of catching those delightful monsters on their phones. While my friend is aware that this cloud-based game will have multiple servers for different geographies, and so there will be relative rankings and customised interfaces for each community of players, he was feeling cheated about living in India and not having access to the first release of the game that has all the attention on the social web right now.

‘It almost makes me want to leave India and move to the USA,’ he said in mock frustration. It made me think about the privilege of geography when it comes to the presumed flatness of the digital world. One of the imaginations of the peer-to-peer architectures of the internet is its promise of flatness. With a series of non-discriminatory principles like #NetNeutrality and #ZeroRating enshrined as the fundamental attributes of the digital internet, we are often led to believe that when we are online, we are equal. This idea is so prevalent that in most of our technology-based development practices and policies, we think of access as the “be all”, if not the “end all”, of our activities. The rhetoric promises that if we get everybody online, we will have an egalitarian society where everybody will have equal access to resources, and equity by participating in the decision-making processes.

Despite overwhelming evidence that the digital world is anecdotally and systemically a space of exclusion, contestation, and intimidation, we continue to propagate the idea that these are “human” problems. Humans, fragile, frail and foolish in their being, contaminate the digital space. Humans, mired in the analogue systems of hatred and abuse, appropriate technologies to perpetuate these older forms of discrimination. The technological structures are imagined as pure, sterile, and committed to constructing parameters of equality through their neutral promises of universal access and seamless connectivity. Technology is clean, the human being is impure. Technology is robust, the human frail. Technology is flat, human hierarchical. These narratives of a neutral and egalitarian technology consequently lead us to put more importance and faith in algorithmic decisions and data-driven governance and policing. We have come to believe that because technologies are neutral, they will do a better job of regulating us than we do ourselves.

Pokémon Go, and its obvious geographical privilege reminds us that the digital is not flat. It is oriented towards a very obvious logic of geopolitical, economic, racial, and identity privileging that continues to promote some parts of the world as favoured standards of first access. The exclusive release of Pokémon Go reminds us that the digital is as subject to Euro-American centrism which treat these erstwhile imperial geographies as the beginning points of all digital activities, slowly expanding their fold to other regions through a trickle-down politics and economics. Whether you are waiting impatiently to join the global bandwagon of Pokémon collection, or are ready to shrug this off as another thing that people do on the web, this differential, preferential, and variable access of the internet is something we definitely want to consider as we continue to push for the digital as the solution to human problems.

We acknowledged that the independently audited financial reports on ICANN’s website list the total amount from all RIRs as a lump sum.[1] However, we specifically sought a breakdown of these fees detailing contributions made by each RIR from 1999 to 2014. Not only will this information help understand the RIR-ICANN relationship, it will also be relevant to the IANA transition.

The request filed by Protyush Choudhury can be found here.

What ICANN said

According to ICANN’s response to our request, the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) make a voluntary annual contribution to ICANN’s budget through the Number Resource Organization (NRO). [2] Since Financial Year 2000, this contribution has been made to ICANN as an aggregate amount without the kind of breakdown requested by us with the exception of FY03, FY04 and FY05. The breakdown of the contribution for those years is as below:

• FY03: APNIC - $129,400; ARIN - $159,345; RIPE - $206,255
• FY04: APNIC - $160,500; ARIN - $144,450; RIPE - $224,700; LACNIC - $5,350
• FY05: APNIC - $220,976; ARIN - $218,507; RIPE - $358,086; LACNIC - $25,431

The response links back to the independent financial reports mentioned by us in the request. These reports can be found on the ICANN website here.

On closer examination of the audit reports of FY03, 04 and 05, it is clear that the information provided in their response is either incomplete or incorrect. According to KPMG’s audit report of FY03, the total contribution from Address Registries is US$535,000. The breakdown in the response adds up only to $494,600. The response does not account for the extra $40,400. If only APNIC, ARIN and RIPE contributed to ICANN in 2003, where did the other $40,400 come from? Moreover, why is it listed as an Address Registry Fee in the audit report if it was a voluntary contribution?[3]

The “Address Registry Fees” in the audit reports for FY04 and FY05 match the amounts in the response: $535,000 and $823,00 respectively. ICANN's response to our DIDP request may be found here.

For the reader’s reference, the audit reports for FY00 - FY14 are linked below:

• FY00: https://www.icann.org/resources/unthemed-pages/financial-report-fye-2000-06-30-en
• FY01: https://www.icann.org/resources/unthemed-pages/financial-report-fye-2001-06-30-en
• FY02: https://www.icann.org/resources/unthemed-pages/financial-report-fye-2002-06-30-en
• FY03: https://www.icann.org/en/system/files/files/financial-report-fye-30jun03-en.pdf
• FY04: https://www.icann.org/en/system/files/files/financial-report-fye-30jun04-en.pdf
• FY05: https://www.icann.org/en/system/files/files/financial-report-fye-30jun05-en.pdf
• FY06: https://www.icann.org/en/system/files/files/financial-report-fye-30jun06-en.pdf
• FY07: https://www.icann.org/en/system/files/files/financial-report-fye-30jun07-en.pdf
• FY08: https://www.icann.org/en/system/files/files/financial-report-fye-30jun08-en.pdf
• FY09: https://www.icann.org/en/system/files/files/financial-report-fye-30jun09-en.pdf
• FY10: https://www.icann.org/en/system/files/files/financial-report-fye-30jun10-en.pdf
• FY11: https://www.icann.org/en/system/files/files/financial-report-fye-30jun11-en.pdf
• FY12: https://www.icann.org/en/system/files/files/financial-report-fye-30jun12-en.pdf
• FY13: https://www.icann.org/en/system/files/files/financial-report-fye-30jun13-en.pdf
• FY14: https://www.icann.org/en/system/files/files/financial-report-fye-30jun14-en.pdf

[1] See audited financial reports: https://www.icann.org/resources/pages/governance/current-en

[2] See letter from NRO to ICANN: https://www.icann.org/en/system/files/files/akplogan-to-twomey-23mar09-en.pdf

[3]. See report for FY03 (pg 4): https://www.icann.org/en/system/files/files/financial-report-fye-30jun03-en.pdf

It was reported recently that ICANN contributed US$200,000 to the Initiative.[1] Following this report, we requested the details of all expenses incurred by ICANN for NMI till date. This includes formal contributions to NMI as well as costs incurred towards travel and accommodation of ICANN board and staff to meetings relevant to the NMI discussion.

Apart from these financial details, we also requested information regarding the number of staff working on NMI from ICANN and the hours clocked by them for the same. We further specified that we would like this information to gauge ICANN’s involvement beyond its technical mandate. The request filed by Geetha Hariharan can be found here.

What ICANN said

In its response, ICANN separated the questions in the request into two categories: a) Expenses incurred by ICANN towards the NETmundial Initiative and b) Other resources (personnel and hours) allocated to the Initiative by ICANN. The first category in the request includes: formal contribution to the NETmundial Initiative; travel costs of ICANN board and staff; and costs of maintenance of other sponsored parties. The second includes the number of staff involved in the NETmundial Initiative from ICANN and the number of hours spent working on it.

To answer both, the response directs us to the Memorandum of Collaboration (MOC)[2]signed by the Brazilian Internet Steering Committee (CGI.br), ICANN and the World Economic Forum (WEF) to set up the NETmundial Initiative according to the outcome document from the initial NETmundial meeting in Sao Paulo, Brazil.

Some of the important takeaways from the MOC that are relevant to our request are the following:

• Each party to the MOC agrees to pay $201,667 towards operational expenses on signature of the agreement.
• Total anticipated cost of the NETmundial Initiative is $605,000 (also mentioned in the response).
• Each party will assign 1 staff member to the NETmundial Initiative secretariat during the inaugural period to smoothen the process. This staff member will commit at least 50% of their time towards Secretariat work.

This information is important but it does not provide a comprehensive answer to our query. It does not, for example, answer if ICANN contributed anything more than the $201,667 the MOC specifies. It also does not tell us if ICANN allotted any staff apart from the designated secretariat member to work on NETmundial Initiative.

Further, the response states that ICANN does not keep track of costs according to the number of hours or the topic but rather according to strategic objectives. Since ICANN is not required to create a document that does not already exist to answer a DIDP enquiry,[3] we have no way of knowing the specific amount of  time or money spent on the NETmundial Initiative by ICANN. The response instead directs us to the financial presentation at ICANN50 where the costs of attending the NETmundial Meeting at Sao Paulo is detailed. While this is interesting (ICANN spent $1.5 million)[4] it is not a satisfactory answer to our question.

ICANN justifies its lack of direct answers by expressing that not only is the request “overbroad", it is also “subject to the following DIDP Condition of Nondisclosure: Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; and (iii) complying with which is not feasible.”[5]

ICANN's response to our DIDP request may be found here.

[1] See McCarthy, ‘I’m Begging You To Join’ – ICANN’s NETmundial Initiative gets desperate, THE REGISTER (12 December 2014), http://www.theregister.co.uk/2014/12/12/im begging you to join netmundial initiative gets d esperate/

[2] See MOC: https://www.netmundial.org/sites/default/files/MOC-%20CGI.br,%20ICANN%20&%20WEF.pdf

[3] See Disclosure Policy: https://www.icann.org/resources/pages/didp-2012-02-25-en

[4] See ICANN50 Finance Presentation (Pg 4): https://london50.icann.org/en/schedule/thu-finance/presentation-finance-26jun14-en

[5] See ICANN conditions for non-disclosure: https://www.icann.org/resources/pages/didp-2012-02-25-en

In September 2015, we filed two separate DIDP requests regarding ICANN’s Contractual Compliance Goals. The first one, briefed below, is regarding the contracts with registries and the second one is regarding ICANN contracts with registrars. This post contains some additional background information on the Contractual Compliance Goals at ICANN. In our first request, we specifically asked for the following information:

1. Copies of the registry contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (2014-2015).
2. A generic template of the notice served by ICANN before conducting such an audit.
3. A list of the registries to whom such notices were served in the last year.
4. An account of the expenditure incurred by ICANN in carrying out the audit process.
5. A list of the registries that did not respond to the notice within a reasonable period of time.
6. Reports of the site visits conducted by ICANN to ascertain compliance.
7. Documents which identifies the registry operators who had committed material discrepancies in the terms of the contract.
8. Documents pertaining to the actions taken in the event that there was found to be some form of contractual non-compliance.

The DIDP request filed by Padmini Baruah can be viewed here.

What ICANN said

ICANN’s Contractual Compliance Goal is to ensure that all the parties that ICANN has entered into a contract with complies with the stipulations of the contract. This is done in several ways, including Contractual Compliance complaints and Audits.[1]

In 2012, ICANN initiated the Three Year Audit plan where one-third of registries were selected each year for an audit. In 2014, the third set of registries were audited. In response to Item 1,  information about the audit for 2014 can be found here: https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2014-03feb15-en.pdf. At this link, we can also find the list of registries that went through the audit process in 2014 (item 3). Monthly updates on overall contractual compliance can be found here: https://www.icann.org/resources/pages/update-2013-03-15-en.

ICANN linked us to all the communication templates used during the audit process, including the notice served by ICANN prior to conducting audits. (Item 2) It can be found here: https://www.icann.org/en/system/files/files/audit-communication-template-04dec15-en.pdf

In the operating plan and budget for FY15, ICANN sets aside USD 0.2 million for the New Registry Agreement Audit and USD 0.6 million for the Three Year Audit plan.[2]

Other documents to answer this question such as invoices from the external auditing firm are subject to non-disclosure under DIDP policies. Since all registries responded in a timely manner and no site visits were conducted, there are no documents to answer items 5 and 6.

The audit report linked above contains information on deficiencies identified during the audit. ICANN states that registries addressed these deficiencies during the remediation process. However, there is a caveat to this discussion. The names of the registries that are associated with these discrepancies remains confidential, subject to the DIDP Defined Conditions for Nondisclosure. (Item 7) ICANN goes on to state that it is not required to confirm if the registries have taken appropriate action and thus does not have any documents in response to item 8. While ICANN’s audit process seems thorough, does this last statement indicate a lack of enforcement mechanisms on ICANN’s part?  

ICANN’s response to our request can be found here.

[1]. See Contractual Compliance website: https://www.icann.org/resources/pages/compliance-2012-02-25-en

[2]. See FY15 budget (pg72): https://www.icann.org/en/system/files/files/adopted-opplan-budget-fy15-01dec14-en.pdf

The first one which we have written about here,[1] was regarding ICANN contracts with registries while the second one about registrars is briefed below. In our second request, we specifically asked for the following information:

1. Copies of the registrar contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (2014-2015).
2. A generic template of the notice served by ICANN before conducting such an audit.
3. A list of the registrars to whom such notices were served in the last year.
4. An account of the expenditure incurred by ICANN in carrying out the audit process.
5. A list of the registrars that did not respond to the notice within a reasonable period of time.
6. Reports of the site visits conducted by ICANN to ascertain compliance.
7. Documents which identify the registrars who had committed material discrepancies in the terms of the contract.
8. Documents pertaining to the actions taken in the event that there was found to be some form of contractual non-compliance.
9. A copy of the registrar self-assessment form which is to be submitted to ICANN.

The DIDP request filed by Padmini Baruah can be viewed here.

What ICANN said

Information pertinent to item 1 and 3 can be found in the 2014 Contractual Compliance Annual Report here:https://www.icann.org/en/system/files/files/annual-2014-13feb15-en.pdf. While this report contains detailed information regarding the audit, individual audit reports are subject to the DIDP Defined Conditions for Nondisclosure.

ICANN provided a link to all the communication templates used during the audit process, including the notice served by ICANN prior to conducting audits. (Item 2) It can be found here: https://www.icann.org/en/system/files/files/audit-communication-template-04dec15-en.pdf. As mentioned in an earlier blog post, ICANN set aside USD 0.6 million for the Three Year Audit plan.[2] (item 4)

According to the Audit FAQ on ICANN website,[3] “If a contracted party reaches the enforcement phase per process, ICANN will issue a notice of breach in which the outstanding issues are noted. The response links us to the ICANN webpage where these breach notices are listed: https://www.icann.org/compliance/notices#notices-2014. (Item 5) According to the link, 61 registrars received breach notices in 2014; a full explanation has been provided for each notice. (Item 7 and 8) Since no site visits were conducted, ICANN does not possess any document regarding this.

According to the ICANN website, “The 2013 Registrar Accreditation Agreement (RAA) requires ICANN-accredited registrars to complete an annual self-assessment and provide ICANN with a compliance certification by 20 January.”[4] The form for the same can be found here: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#compliance

ICANN’s response to our request can be found here.

[1] To be linked to the first post

[2] See FY15 budget (pg72): https://www.icann.org/en/system/files/files/adopted-opplan-budget-fy15-01dec14-en.pdf

[3] See Audit FAQ: https://www.icann.org/resources/pages/faqs-2012-10-31-en

[4] See CEO certification: https://www.icann.org/resources/pages/ceo-certification-2014-01-29-en

At CIS, we believe that any exchange of dialogue or any outcome from ICANN acting on these complaints needs to be in the public domain. Thus, our 15th DIDP request to ICANN were for documents pertinent to Verisign’s contractual compliance and actions taken by ICANN stemming from any discrepancies of Verisign’s compliance with its ICANN contract.

The DIDP request filed by Padmini Baruah can be found here.

What ICANN said

After sorting through a response designed to obfuscate information, it was clear that ICANN was not going to provide any of the details we requested. As mentioned in their previous responses, individual audit reports and the names of the registries associated with discrepancies are confidential under the DIDP Defined Conditions of Nondisclosure. Nevertheless, some details from the response are worth mentioning.

According to the response, “As identified in Appendix B of the 2012 Contractual Compliance Year One Audit Program Report, the following TLDs were selected for auditing: DotAsia Organisation Limited (.ASIA), Telnic Limited (.TEL), Public Interest Registry (.ORG), Verisign (.NET), Afilias (.INFO), and Employ Media LLC (.JOBS).” The response goes on to state that out of these 6 registries that were selected, only 5 chose to participate in the audit, the identies of which are once again confidential.

However, on further examination, it can be seen that Verisign (.NET) was chosen to participate in  the audit the year after as well. Therefore, it’s clear that 2013 was the year Verisign was audited. Unfortunately, that was pretty much all that was relevant to our request in ICANN’s response.

Once again, ICANN was able to use the DIDP Defined Conditions of Nondisclosure, especially the following conditions to allow itself the ability not to answer the public:

• Information exchanged, prepared for, or derived from the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process between and among ICANN, its constituents, and/or other entities with which ICANN cooperates by inhibiting the candid exchange of ideas and communications.
• Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement.
• Confidential business information and/or internal policies and procedures.[1]
  

ICANN’s response to our request can be found here.

[1] See DIDP https://www.icann.org/resources/pages/didp-2012-02-25-en

We wrote to ICANN requesting information on these abuse complaints received by registrars over the last year. We specifically wanted reports of illegal activity on the internet submitted to these abuse contacts as well as details on actions taken by registrars in response to these complaints.

The request filed by Padmini Baruah can be found here.

What ICANN said

Our request to ICANN very specifically dealt with reported illegal activities. However, in their response, ICANN first broadened it to abuse complaints and then failed to give a narrowed down list of even those complaints.

In their response, ICANN indicated that they do not store records of complaints made to the abuse contact. This is stored by the registrars and is available to ICANN only upon request. However, since ICANN is only obliged to publish documents it already has in its possession, we did not receive an answer to our first question.

As for the second item, ICANN gave a familiarly vague answer, linking us to the Contractual Compliance Complaints page with a list of all the breach notices that have been issued by ICANN to registrars. A breach notice is relevant to our request only if it is in response to an abuse complaint, and the abuse complaint specifically deals with illegal activity. Even discounting that, this is not a comprehensive list when you take into account that a breach notice is published only “if a formal contractual compliance enforcement process has been initiated relating to an abuse complaint and resulted in a breach.”[1] What about the rest of the complaints received by the registrar?

In addition, ICANN refused to publish any communication or documentation of ICANN requesting reports of illegal activity under the DIDP non-disclosure conditions.

ICANN's response to our DIDP request may be found here.

[1] See ICANN response here (Pg 4): https://www.icann.org/en/system/files/files/didp-response-20150901-4-cis-abuse-complaints-01oct15-en.pdf

It is clear to us at CIS that the people in charge of these compliance audits perform an important function at ICANN. To that effect, we requested information on the 24 individuals mentioned by Mr Chehadi as well as the third party auditors who perform this powerful watchdog function. More specifically, we requested documents calling for appointments of the auditors and copies of their contracts with ICANN.

The request filed by Padmini Baruah can be found here.

What ICANN said

In their response to the first part of our question, ICANN linked us to a webpage containing the names and titles of all employees working on contractual compliance. This page contains 26 names including the Contractual Compliance Risk and Audit Manager: https://www.icann.org/resources/pages/about-2014-10-10-en

ICANN also described the process of selecting KPMG as their third party auditor in detail. A pre-selection process shortlists 5 companies  that fit the following criteria: knowledge of ICANN, global presence, size, expertise and reputation. Then, ICANN issues a targeted Request For Proposal (RFP) to these companies asking them for their audit proposals. After a question and answer session, a proposal analysis and rating the scorecards, a “cross-functional steering committee” decided to go with KPMG. While the process has been discussed transparently, our questions remain unanswered.

The RFP would qualify as the document requested by us in the second part of the question (i.e.)  a “document that calls for appointments to the post of the contractual compliance auditor.” Unfortunately, ICANN has not published the RFP citing the DIDP Conditions for Non-disclosure. However, the timeline for the RFP and other details have been posted here after our DIDP request. In addition, the contract between  KPMG and ICANN has also not been published.

ICANN's response to our DIDP request may be found here.

The request filed by Padmini Baruah can be found here. To no one’s surprise, not only did ICANN not have this document in “ICANN's possession, custody, or control,” even if it did it would be subject to DIDP conditions for non-disclosure.

ICANN's response to our DIDP request may be found here.

See NTIA announcement here.

In August 2015, NTIA announced that it would not be technically possible to meet this deadline and extended it by a year. NTIA stated,

“Accordingly, in May we asked the groups developing the transition documents how long it would take to finish and implement their proposals. After factoring in time for public comment, U.S. Government evaluation and implementation of the proposals, the community estimated it could take until at least September 2016 to complete this process.”

In our DIDP request, we asked ICANN for all documents that it had submitted to NTIA that were relevant to the IANA transition and its postponement from the date of the initial announcement— March 14, 2015 to the date of the announcement of extension — August 17, 2015. We specifically requested the documents requested by NTIA in May 2015 as referenced by this blogpost.

The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN’s response terms our request as “broadly worded” and assumes that our request is only related to documents about the extension of the deadline. It was not.

After NTIA’s announcement in 2014, ICANN launched a multi-stakeholder process and discussion at ICANN 49 in Singapore to facilitate the transition. The organizational structure of this process has been mapped out according to the different IANA functions that are being transitioned. Accordingly, we have the:

• IANA Stewardship Transition Coordination Group (ICG)
• Cross Community Working Group (CWG-Stewardship)
• Consolidated RIR IANA Stewardship Proposal Team (CRISP TEAM)
• IANAPLAN Working Group (IANAPLAN WG)
• Cross-Community Working
• Group (CCWG-Accountability)

In addressing our request, ICANN references this multi-stakeholder community overseeing the transition. According to the response document, the ICG, CWG-Stewardship, CRISP Team, IANAPLAN WG and the CCWG-Accountability submitted responses directly to the NTIA leaving the ICANN with no documents responsive to our request.

ICANN's response to our DIDP request may be found here.

See the base registry agreement here.

In light of this, we filed a request asking ICANN for documents that discuss the rationale behind including the presumptive renewal clause. We also asked them for documents specific to the renewal of Verisign (.com and .net domains) and PIR (.org) contracts. The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN provided a surprisingly comprehensive response to our request. They provided documents in response to our request and stated the rationale that has been given for including a presumptive renewal clause. According to the response,

“Absent countervailing reasons, there is little public benefit, and some significant potential for disruption, in regular changes of a registry operator. In addition, a significant chance of losing the right to operate the registry after a short period creates adverse incentives to favor short term gain over long term investment.”

ICANN explains that the contracts have been drawn such that they balance the concerns above with the ability to replace a registry that doesn’t serve the community as it is obliged to do. The response also offers links to various documents substantiating this rationale.

We were provided an effective answer to our second question as well. ICANN’s response links us to various documents for the 2001, 2006 and 2012 renewals of Verisign’s contract for the .com domain. This includes a summary of the 2012 renewal, public comments for all three renewals and the proposed agreements.

For the .net domain, a presumptive renewal clause was not included in the 2001 Verisign contract which opened up the process to select an operator in 2005. ICANN chose to continue its relationship with Verisign and included the clause. The documents relevant to the 2011 renewal of the contracts have been provided.

After Verisign relinquished its rights over the .org domain in 2001, ICANN chose the Public Internet Society (PIR) to operate the domain.  While there was no presumptive renewal clause in 2002, documents relevant to the 2006 and 2013 renewals have been provided.

ICANN's response to our DIDP request may be found here.

The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN’s response linked us to the Memorandum of Understanding signed by ICANN and the Number Resource Organization (NRO) which represents the 5 RIRs. The MoU replaces the ones signed by ICANN and the individual RIRs. The response also links us to a series of letters written by the NRO to ICANN reaffirming their commitment to the MoU. Interestingly, the MoU does not mention anything about payments or monetary contributions.

In response to the second part of our request focusing on their financial relationship, ICANN gave us the same information as they did earlier. However, as pointed out in this post, that information is either incomplete or inaccurate. Further, they reject the idea that providing anything more than the audited financial reports is necessary for public benefit. According to them, “the burden of compiling the requested documentary information from 2000 to the present would require ICANN to expend a tremendous amount of time and resources.” Therefore, they classified our request as falling under this condition for non-disclosure:

“Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.”

We fail to see how an organization like ICANN does not already have its receipts and documentation in order. If they do, it would not be burdensome to publish them and if they don’t, well, that’s worrying for a lot of different reasons.

ICANN's response to our DIDP request may be found here.

See ICANN bye-laws here

The board governance committee must submit an annual report to the board containing the following information (paraphrased):

• Number and nature of Reconsideration Requests received including an identification of whether they were dismissed, acted upon or are pending.
• If pending, the length of time  and explanation if they have been pending for more than 90 days.
• Explanation of other mechanisms ICANN has made available to ensure its accountability to those directly affected by its actions.

CIS requested copies of documents containing all this information. The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN surmised that all the information we sought can be found in their annual reports. ICANN linked us to those: https://www.icann.org/resources/pages/annual-reports-2012-02-25-en

ICANN's response to our DIDP request may be found here.

See ICG report here.

We requested ICANN for similar reports on the ICANN public comment section. The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN stated that they do not conduct diversity analysis on their comment sections. This is a shame, given that the one from ICG was so informative, clear and concise. Instead they provided us with links to reports and analyses of the different topics that were up for comments and an annual report on public comments.

ICANN’s public comments section is one of the important ways in which different stakeholders and community members get involved with the organization. A diversity analysis of this section for different topics could help in informing the public about which parts of the world actually get involved in ICANN through this mechanism We suggest that ICANN make it a regular part of their report.

ICANN's response to our DIDP request may be found here.

https://www.ianacg.org/icg-files/documents/Public-Comment-Summary-final.pdf

Marrakech Public Forum 2

In light of that statement, CIS requested ICANN to publish the following information:

• Information about the individual or organization conducting ICANN’s sexual harassment training
• Materials used during this training
• ICANN’s internal sexual harassment policy

The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN’s response answered our questions adequately. The organization conducting their sexual harassment training is NAVEX Global. It is an interactive online training and as such, all materials are within that platform. Besides, ICANN could not publish these materials as it would be an infringement of NAVEX Global’s intellectual property right. ICANN also attached with the response, their internal sexual harassment policy.

ICANN's response to our DIDP request (and the attached policy document)  may be found here.

Click for Applicant Support Directory

We requested ICANN for information about this program. Specifically, we asked them for information on:

• The number of applicants to the program and the amount received by them;
• The basis on which these applicants were selected;
• The amount that has been utilized thus far for this program;
• Contributions by donors;
• What “in kind” support means and includes.

The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN answered all our questions in a satisfactory manner. There were three applicants to the program. Two of these: Nameshop, and Ummah Digital Ltd, did not meet the eligibility criteria listed in the handbook and therefore only one other applicant, DotKids, received the financial support. Of the USD 2,000,000 set aside, USD 135,000 was awarded to them.

The eligibility criteria is listed in the New gTLD Financial Assistance Handbook and candidates are evaluated by the Support Applicant Review Panel (SARP), “which was comprised of five volunteer members from the community with experience in the domain name industry, in managing small businesses, awarding grants, and assisting others on financial matters in developing countries.”

The USD 2,000,000 allotted to this program was set aside by ICANN’s board and as it is not exhausted, no external contributions were sought by ICANN (in cash or in kind). However, ICANN failed to explain what “in kind” contributions would be.

The request filed by Padmini Baruah can be found here.

What ICANN said

ICANN clarified that it has never been party to the RZM agreement which was made between NTIA and Verisign. According to an ICANN-Verisign joint document, the Root Zone Management Systems allows “ICANN as the IANA Functions Operator (IFO), Verisign, as the Root Zone Maintainer (RZM), and the National Telecommunications and Information Administration (NTIA) at the U.S. Department of Commerce (DoC), as the Root Zone Administrator (RZA).” The only agreement related to this is the one of cooperation between Verisign and the NTIA.

Accordingly, as the role of NTIA is transitioned to the multi-stakeholder community, Verisign and ICANN are working out terms and conditions of their own agreement to facilitate this transition together.  In response to NTIA’s request for a proposal for this transition, Verisign and ICANN submitted this document. Besides these, ICANN states that it does not have any documents responsive to our requests.

ICANN's response to our DIDP request may be found here.

The United Nations Group of Experts on ICT issued their report on Developments in the Field of Information and Telecommunications in the Context of International Security in June, 2015. This paper analyses the report of the Group of Experts and and India’s compliance with its recommendations based on existing laws and policies. CIS believes that the report of the Group of Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Experts and similar international forums are useful and important forums for India to actively engage with.

Download: PDF (627 kb)

1. Introduction

2. Analysis of the Recommendations

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs; of the Recommendations

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity

3. Conclusion

1. Introduction

Cyberspace[1] touches every aspect of our lives, has enormous benefits, but is also accompanied by a number of risks. The international community at large has realized that cyberspace can be made stable and secure only through international cooperation. Traditionally, though there are a number of bilateral agreements and forms of cooperation the foundation of this cooperation has been the international law and the principles of the Charter of the United Nations.

To this end, on December 27, 2013 the United Nations General Assembly adopted Resolution No. 68/243 requesting the" Secretary General, with the assistance of a group of governmental experts,…… to continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States and confidence-building measures, the issues of the use of information and communications technologies in conflicts and how international law applies to the use of information and communications technologies by States……. and to submit to the General Assembly at its seventieth session a report on the results of the study. "In pursuance of this resolution the Secretary General established a Group of Experts on Developments in the Field of Information and Telecommunications in the Context of International Security; the report was agreed upon by the Group of Experts in June, 2015. On 23 December 2015, the UN General Assembly unanimously adopted resolution 70/237[2] which welcomed the outcome of the Group of Experts and requested the Secretary-General to establish a new GGE that would report to the General Assembly in 2017.

The report developed by governmental experts from 20 States addresses existing and emerging threats from uses of ICTs, by States and non-State actors alike. These threats have the potential to jeopardize international peace and security. The experts gave recommendations which have built on consensus reports issued in 2010 and 2013, and offer ideas on norm-setting, confidence-building, capacity-building and the application of international law for the use of ICTs by States. Among other recommendations, the Report lays down recommendations for States for voluntary, non-binding norms, rules or principles of responsible behaviour to promote an open, secure, stable, accessible and peaceful ICT environment.

As larger international dialogues around cross border sharing of information and cooperation for cyber security purposes take place between the US and EU, it is critical that India begin to participate in these discussions.[3] It is also necessary to take cognizance of the importance of implementing internal practices and policies that are recognized and set strong standards at the international level.

This paper marks the beginning of a series of questions we will be asking and processes we will be analysing with the aim of understanding the role of international cooperation for cyber security and the interplay between privacy and security. The report analyses the existing norms in India in the backdrop of the recommendations in the Report of Experts to discover how interoperable Indian law and policy is vis-à-vis the recommendations made in this report as well as making recommendations towards ways India can enhance national policies, practices, and approaches to enable greater collaboration at the international level with respect to issues concerning ICTs and security.

2. Analysis of the Recommendations

The Group of Experts took into account existing and emerging threats, risks and vulnerabilities, in the field of ICT and offered the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour.

2a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security

1. India has been working with a number of countries such as Belarus, Canada, China, Egypt, and France on a number of ICT-related isues thereby increasing international cooperation in the ICT sector, such as:

(i) setting up the India-Belarus Digital Learning Centre (DLC-ICT) to promote

development of ICT in Belarus;

(ii) sending an official business delegation to Canada to attend the 2^ndJoint Working Group meeting in ICTE;

(iii) holding Joint Working Groups on ICT with China.[4]

As can be seen from this, most of the cooperation with other countries is currently government to government (or government institution to government institution) cooperation. However, it must be noted that the entire digital revolution, including ICT necessarily involves ICT companies, and thus the role of the private sector in participating in these negotiations as well as the responsibilities of private sector ICT companies in cross border cooperation. Furthermore, the above examples are a few of the many agreements, Memoranda of Understanding (MOU), and negotiations that India has with other countries on cross border cooperation. It is important that, to the extent possible, these negotiations and transparent and easily publicly available.

2. The primary legislation governing ICT in India is the Information Technology Act, 2000 ("IT Act") which was passed to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication. The IT Act contains a number of provisions that declare illegal activities that threatenICT infrastructure, data, and individuals as illegal and provide for penalties for the same. These activities are:

Section 43 - Penalty and Compensation for damage to computer, computer system, etc.: If any person without permission: (i) accesses a computer, computer system or network; (ii) downloads, copies or extracts any data from such computer, computer system or network; (iii) introduces any computer contaminant or computer virus into, destroys, deletes or alters any information on, damages or disrupts any computer, computer system or network; (iv) denies or causes the denial of access to any computer, computer system or network by any means; (v) helps any person to access a computer, computer system or network in contravention of the Act; (vi) charges the services availed of by a person to the account of another person through manipulation; or (vii) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, he shall be liable to pay damages by way of compensation to the person so affected.

Section 66 - Computer Related Offences: If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to Rs. 5,00,000/- or with both.

Section 66B - Punishment for dishonestly receiving stolen computer resource or communication device: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to Rs. 1,00,000/- or with both.

Section 66C - Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Section 66D - Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to Rs. 1,00,000/-.

Section 66E - Punishment for violation of privacy: Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding Rs. 2,00,000 or with both.

Section 66F - Punishment for cyber terrorism: (1) Whoever,- (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by -

• Denying or cause the denial of access to computer resource; or
• Attempting to penetrate a computer resource; or
• Introducing or causing to introduce any computer contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure, or

(B) knowingly or intentionally penetrates a computer resource and by by doing so obtains access to information that is restricted for reasons of the security of the State or foreign relations; or any restricted information with reasons to believe that such information may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.

Section 67 - Publishing of information which is obscene in electronic form: Whoever publishes or transmits in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons, shall be punished on first conviction with a maximum imprisonment upto 2 years and a maximum fine upto Rs. 5,00,000 and for a second or subsequent conviction with a maximum imprisonment upto 5 years and also a maximum with fine upto Rs. 10,00,000.

Section 67A - Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form: Whoever publishes or transmits in the electronic form any material which contains sexually explicit act or conduct shall be punished on 1st conviction with a maximum imprisonment for 5 years and a maximum fine of upto Rs. 10,00,000 and for a 2nd or subsequent conviction with a maximum imprisonment of 7 years and a maximum fine upto Rs. 10,00,000.

Section 67B - Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form: Whoever,- (a) publishes or transmits material in any electronic form which depicts children engaged in sexually explicit act or conduct; or (b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or (c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or (d) facilitates abusing children online; or (e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with a maximum imprisonment upto 5 years and a maximum fine upto Rs. 10,00,000 and in the event of a 2nd or subsequent conviction with a maximum imprisonment upto 7 years and also a maximum fine upto Rs. 10,00,000.[5]

Section 72 - Breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under this Act, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses the same to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.

Section 72-A - Punishment for Disclosure of information in breach of lawful contract: Any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rs. 5,00,000 or with both.

3. The broad language and wide terminology used IT Act seems to cover most of the cyber crimes faced in India as of now, though the technical abilities to prevent the crimes still leave a lot to be desired. The prevention of cyber crime is not the domain of the IT Act and is rather the responsibility of the law enforcement authorities (note: there is no specific authority created under the IT Act, the Act is enforced by the police and other law enforcement authorities). That said, it may be a useful exercise to briefly compare these provisions with the crimes mentioned in the Convention on Cybercrime, 2001 (Budapest Convention), an international treaty that seeks to addresses threats in cyber space by promoting the harmonization of national laws and cooperation across jurisdictions, to examine if there are any that are not covered by the IT Act. A comparison of the principles in Budapest Convention and the IT Act is below:

As can be seen from the above discussion, most of the criminal acts elucidated in the Budapest Convention are covered under the IT Act except for the provision on misuse of devices, which requires the production, dealing, trading, etc. in devices whose sole objective is to violate the provisions of the IT Act, though it is possible that provisions of the Indian Penal Code, 1860 dealing with conspiracy and aiding and abetment may be pressed into service to cover such incidents.

4. Further, there are a number of laws which deal with critical infrastructure in India, however since these are mostly sectoral laws dealing with specific infrastructure sectors, the one most relevant to ICT is the Telegraph Act, 1885, which makes it illegal to interfere with or damage critical telegraph infrastructure. The specific penal provisions are listed below:

Section 23 - Intrusion into signal-room, trespass in telegraph office or obstruction: If any person - (a) without permission of competent authority, enters the signal room of a telegraph office of the Government, or of a person licensed under this Act, or (b) enters a fenced enclosure round such a telegraph office in contravention of any rule or notice not to do so, or (c) refuses to quit such room or enclosure on being requested to do so by any officer or servant employed therein, or (d) wilfully obstructs or impedes any such officer or servant in the performance of his duty, he shall be punished with fine which may extend to Rs. 500.

Section 24 - Unlawfully attempting to learn the contents of messages: If any person does any of the acts mentioned in section 23 with the intention of unlawfully learning the contents of any message, or of committing any offence punishable under this Act, he may (in addition to the fine with which he is punishable under section 23) be punished with imprisonment for a term which may extend to one year.

Section 25 - Intentionally damaging or tampering with telegraphs: If any person, intending - (a) to prevent or obstruct the transmission or delivery of any message, or (b) to intercept or to acquaint himself with the contents of any message, or (c) to commit mischief, damages, removes, tampers with or touches any battery, machinery, telegraph line, post or other thing whatever, being part of or used in or about any telegraph or in the working thereof, he shall be punished with imprisonment for a term which may extend to three years, or with fine or with both.

Section 25A - Injury to or interference with a telegraph line or post: If, in any case not provided for by section 25, any person deals with any property and thereby wilfully or negligently damages any telegraph line or post duly placed on such property in accordance with the provisions of this Act, he shall be liable to pay the telegraph authority such expenses (if any) as may be incurred in making good such damage, and shall also, if the telegraphic communication is by reason of the damage so caused interrupted, be punishable with a fine which may extend to Rs. 1000:

5. The telecom service providers in India have to sign a license agreement with the Department of Telecommunications for the right to provide telecom services in various parts of India. The telecom regulatory regime in India has gone through a lot of turmoil and evolution and currently any service provider wanting to provide telecom services is issued a Unified License (UL) and has to abide by the terms of the UL. Whilst most of the prohibited activities under the UL refer to specific terms under the UL itself such as non payment of fees and not fulfilling obligations under the UL, section 38 provides for certain specific prohibited activities which may be relevant for the ICT sector. These prohibited activities include:

(i) Carrying objectionable, obscene, unauthorized or any other content, messages or communications infringing copyright and intellectual property right etc., which may be prohibited by the laws of India;

(ii) Provide tracing facilities to trace nuisance, obnoxious or malicious calls, messages or communications transported through his equipment and network, to the authorised government agencies;

(iii) Ensuring that the Telecommunication infrastructure or installation thereof, carried out by it, should not become a safety or health hazard and is not in contravention of any statute, rule, regulation or public policy;

(iv) not permit any telecom service provider whose license has been revoked to use its services. Where such services are already provided, i.e. connectivity already exists, the license is required to immediately sever connectivity immediately.

2b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences

The Department of Electronics and Information Technology (DEITY) has released the XIIth Five Year Plan on the information technology sector and the report of the Sub-Group on Cyber Security in the plan recognizes that cyber security threats emanate from a wide variety of sources and manifest themselves in disruptive activities that target individuals, businesses, national infrastructure and Governments alike. [6] The primary objectives of the plan for securing the country's cyber space are preventing cyber attacks, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks. The plan takes into account a number of focus areas to achieve its stated objectives, which are described briefly below:

• Enabling Legal Framework - Setting up think tanks in Public-Private mode to identify gaps in the existing policy and frameworks and take action to address them including addressing the privacy concerns of online users.
• Security Policy, Compliance and Assurance - Enhancement of IT product security assurance mechanism (Common Criteria security test/evaluation, ISO 15408 & Crypto Module Validation Program), establishing a mechanism for national cyber security index leading to national risk management framework.
• Security Resarch&Development (R&D) - Creation of Centres of Excellence in identified areas of advanced Cyber Security R&D and Centre for Technology Transfer to facilitate transition of R&D prototypes to production, supporting R&D projects in thrust areas.
• Security Incident - Early Warning and Response - Comprehensive threat assessment and attack mitigation by means of net traffic analysis and deployment of honey pots, development of vulnerability database.
• Security awareness, skill development and training - Launching formal security education, skill building and awareness programs.
• Collaboration - Establishing a collaborative platform/ think-tank for cyber security policy inputs, discussion and deliberations, operationalisation of security cooperation arrangements with overseas CERTs and industry, and seeking legal cooperation of international agencies on cyber crimes and cyber security.

2c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs

As mentioned in response to (a) above, the primary legislation in India that deals with information technology and hence ICT as well is the Information Technology Act, 2000. The IT Act contains a number of penal provisions which make it illegal to indulge in a number of practices such as hacking, online fraud, etc. which have been recognised internationally as wrongful acts using ICT ( Please refer to answer under section (a) above for details of the penal provisions). Further section 1(2) of the IT Act provides that it also applies to any offence or contravention hereunder committed outside India by any person. This means that the IT Act also covers internationally wrongful acts using ICTs.

2d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect

There are a number of ways in which states can share information by using widely accepted formal processes precisely for this purpose. Some of the most common methods of international exchange used by India are given below.

MLATs

Although the exact process by which intelligence agencies in India share information with other agencies internationally is unclear, India is a member of Interpol and the Central Bureau of Investigation, which is a Federal/Central investigating agency functioning under the Central Government, Department of Personnel & Training and is designated as the National Central Bureau of India. A very useful tool in the effort to establish cross-border cooperation is Mutual Legal Assistance Treaties (MLATs). MLATs are extremely important for law enforcement agencies, governments and the private sector, since they act as formal mechanisms for access to data which falls under different jurisdictions. India currently has MLATs with the following 39 countries [7]

Although MLATs are considered to be a useful mechanism to ensure international cooperation, there are certain criticisms of the MLAT mechanism, such as:

• The Lack of Clear Time Tables: Although MLATs do provide for broad time frames, they do not provide for more specific time tables and usually do not have any provision for an expedited process, for eg. it is believed that for requests to the U.S., processing can take from six weeks (for requests with minimal issues complying with U.S. legal standards) to 10 months.[8] Such a long time frame is clearly a burden on the investigation process and has been criticised for being ineffectual as they may not provide information fast enough;
• Variation in Legal Standards: The legal standards for requesting information, for eg. the circumstances under which information can be requested or what information can be requested, differ from jurisdiction to jurisdiction. These differences are often not understood by requesting nations thus causing problems in accessing information;[9]
• Inefficient Legal Process: The legal process to carry out requests through the MLAT process is often considered too cumbersome and inefficient.
• Non-incorporation of Technological Challenges: MLATs have not been updated to meet the challenges brought about by technology, especially with the advent of networked infrastructure and ICT which raise issues of attribution and cross-jurisdictional access to information. [10]

Extradition

Extradition generally refers to the surrender of an alleged or convicted criminal by one State to another. More precisely, it may be defined as the process by which one State upon the request of another surrenders to the latter a person found within its jurisdiction for trial and punishment or, if he has been already convicted, only for punishment, on account of a crime punishable by the laws of the requesting State and committed outside the territory of the requested State. Extradition plays an important role in the international battle against crime and owes its existence to the so-called principle of territoriality of criminal law, according to which a State will not apply its penal statutes to acts committed outside its own boundaries except where the protection of special national interests is at stake. India currently has extradition treaties with 37 countries and extradition arrangements with an additional 8 countries.[11]

Letters Rogatory

A Letter Rogatory is a formal communication in writing sent by the Court in which an action is pending to a foreign court or Judge requesting that the testimony of a witness residing within the jurisdiction of that foreign court be formally taken under its direction and transmitted to the issuing court making the request for use in a pending legal contest or action. This request entirely depends upon the comity of courts towards each other and usages of the court of another nation.

Apart from the above methods, India also regularly signs Bilateral MoUs with various countries on law enforcement and information sharing specially in cases related to terrorism. India also regularly helps and gets helps from Interpol, the International Criminal Police Organisation for purposes of investigation, arrests and sharing of information.[12]

Other than these formal methods states sometimes share information on an informal basis, where the parties help each other purely on the basis of goodwill, or sometimes even coercion. A recent example of informal cooperation between the security agencies of India and Nepal, although not in the realm of cyber space, was the arrest of YasinBhatkal, leader of the banned organisation Indian Mujahideen (IM) where the Indian security agencies allegedly sought informal help from their Neapaelese counterparts to arrest a person who was wantedhad long been wanted by the Indian security agencies for a long time. [13]

In the current environment of growing ICT and increased cross-border information sharing between individuals, the role of private companies who carry this information has become much more pronounced. This changed dynamic raises new problems, especially because manyin light of thesefact that a number of these companies do not have a physical presence in all the countries where they offer services over the internet. This leads to problems for states in terms of law enforcement, speciallyespecially if they want information from these companies who do not have an incentive or desire to provide itagainst their will. These circumstances lead to a number of prickly situations where states are often frustrated in using legal and formal means and often resort to informal pressure to get the companies to agree to data localization requests, encryption/decryption standards and keys, back doors, and other requests. etc., Tthe most famous of these in the Indian context being the disagreement/ heated exchange between the Indian government and Canada based Blackberry Limited (formerly Research in Motion) for data requests on their Blackberry enterprise platform.

2e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression

Right to Privacy

1. The right to privacy has been recognised as a constitutionally protected fundamental right in India through judicial interpretation of the right to life which is specifically guaranteed under the Constitution of India. Since the right to privacy was read into the constitution by judicial pronouncements, it could be said that the right to privacy in India is a creature of the courts at least in the Indian context. For this reason it may be useful to list out some of the major cases which deal with the right to privacy in India:

   i. Kharak Singh v. Union of India¸[14] (1962)

   a. For the first time, the courts recognized the right to privacy as a fundamental right, although in a minority opinion.

   b. The decision lLocated the right to privacy under both the right to personal liberty as well as freedom of movement.

   ii. Govind v. State of M.P.,[15] (1975)

   a. Adopted the minority opinion of Kharak Singh as the opinion of the Supreme Court and held that the right to privacy is a fundamental right.

   b. An individual deDerivesd the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement.

   c. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing.

   d. The court established that the rRight to privacy can be violated in the following circumstances (i) important countervailing interest which is superior, (ii) compelling state interest test, and (iii) compelling public interest.

   iii. R. Rajagopal v. Union of India,[16] (1994)

   a. Recognised that the rRight to privacy is a part of the right to personal liberty guaranteed under the constitution.

   b. Recognizeds that the right to privacy can be both a tort (actionable claim) as well as a fundamental right.

   c. Established that aA citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he is a public servant and the matter relates to their discharge of official duties.

   iv. People's Union for Civil Liberties v. Union of India,[17] (1996)

   a. Extended the right to privacy to include communications privacy..

   b. Laid down guidelines which form the backbone for checks and balances in interception provisions.

   v. District Registrar and Collector, Hyderabad and another v. Canara Bank and another, [18] (2004)

   a. Refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights which give rise to the right to privacy.

   b. The rRight to privacy deals with persons and not places.

   c. Intrusion into privacy may be by - (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.

   vi. Selvi and others v. State of Karnataka and others,[19] (2010)

   a. The Court acknowledged the distinction between bodily/physical privacy and mental privacy

   b. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without consent violates the subject's mental privacy

2. Although the judgements in the above cases (except for the case of People's Union for Civil Liberties v. Union of India) were pronounced given in a non telecomnot delivered in a telecommunications context, however the ease with which these principles were applied in the case of People's Union for Civil Liberties v. Union of India, suggests that these principles, where applicable, would be applied even in the context of ICT and are not limited to only the non-digital world.

3. It must however be noted that dueDue to some incongruities in the interpretation of the earlier judgments, the Supreme Court has recently referred the matter regarding the existence and scope of the right to privacy in India to a larger bench so as to bring clarity regarding the exact scope of the right to privacy in Indian law. The very concept that the Constitution of India guarantees a right to privacy was challenged due to an "unresolved contradiction" in judicial pronouncements. This "unresolved contradiction" arose because in the cases of M.P. Sharma & Others v. Satish Chandra & Others,[20] and Kharak Singh v. State of U.P. & Others, [21](decided byEigheighttandsixSixJudges respectively) the majority judgment of the Supreme Court had categorically denied the existence of a right to privacy under the Indian Constitution.

   However somehow the later case of Gobind v. State of M.P. and another,[22] (which was decided by a two Judge Bench of the Supreme Court) relied upon the opinion given by the minority of two judges in Kharak Singh to hold that a right to privacy does exist and is guaranteed as a fundamental right under the Constitution of India without addressing the fact that this was a minority opinion and that the majority opinion had denied the existeance of the right to privacy. Thereafter a large number of cases have held the right to privacy to be a fundamental right, the most important of which are R. Rajagopal& Another v. State of Tamil Nadu & Others,[23] (popularly known as Auto Shanker's case) and People's Union for Civil Liberties (PUCL) v. Union of India & Another.[24] However, as was noticed by the Supreme Court in its August 11, 2015 order, all these judgments were decided by two or three Judges only which could not have overturned the judgments given by larger benches.[25] It was to resolve this judicial incongruity that the Supreme Court referred this issue to a larger bench to decide on the existence and scope of the right to privacy in India.

Freedom of Expression

4. Freedom of expression is one of the most important fundamental rights guaranteed under the constitution and has been vehemently protected by the judiciary on a number of occasions whenever it has been threatened. With the advent of social media, the entire dynamics of the freedom of speech and expression have changed in that it is now possible for every individual, with an internet connection and a Facebook/Twitter/Whatsapp account to reach millions of people without spending any extra money. This ability to reach a much larger and wider audience also led to greater friction between people holding different opinions. As the ease of the internet removed the otherwise filtering effects of geography and made it easier for people to communicate with each other, the advent of social media made it easier for them to communicate with a larger number of people at the same time. This ability to communicate within a group also gave rise to "debates" which often turngot ugly, highlighting giving way to concerns of how easy it is to harass people on social media.

5. This concern over of harassment led a number of people to call for greater censorship of social media and it was perhaps this concern which gave rise to the biggest challenge to the freedom of speech and expression in the online world, in the form of section 66A of the Information Technology Act, 2000 which made it an offense to send information which was "grossly offensive" (s.66A(a)) or caused "annoyance" or "inconvenience" while being known to be false (s.66A(c)). This section was used widely seen by Oonline activists, including the Centre for Internet and Society, widely considered this section as a tool for the government to silence those who criticised it. In fact, statistics compiled by the National Crime Records Bureau from 2014 revealed that 2,402 people, including 29 women, were arrested in 4,192 cases under section 66A which accounted for nearly 60% of all arrests under the IT Act, and 40% of arrests for cyber crimes in 2014. [26]

6. The section was finally struck down by the Supreme Court in 2015 in the case of Shreya Singhalv. Union of India, [27] on the ground of being too vague. This decision was seen as a huge victory for the campaign for freedom of speech and expression in the virtual world since this section was frequently used by the state (or rather government in power) to muzzle free speech against the incumbent government or political leaders. The offending section 66A made it an offence to send any information that was "grossly offensive or has menacing character" or "which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by makinguse of such computer resource or a communication device,". These terms quoted above were held by the Court to be too vague and wide and falling foul of the limited restrictions constitutionally imposed on the freedom of expression. The Supreme Court therefore, and were therefore struck down section 66A by the Supreme Court.

2f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public

The researchers of this report could not locate any norms in India which address this issue. To the best of their knowledge, India does not support any ICT activity that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure.

2g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions

1. Section 70 of the IT Act gives the government the authority to declare any computer system which directly affects any critical information infrastructure to be a protected system. The term "critical information infrastructure" (CII) is defined in the IT Act "the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." Once the government declares any computer resource as a protected system it gets the authority to prescribe information security practices for such as system as well as identify the persons who are authorised to access such systems. Any person who accesses a protected system in contravention of the provision of Section 70 of the IT Act shall be liable to be imprisoned for a maximum period of 10 years and also pay a fine. Further, section 70A of the IT Act gives the government the power to name a national nodal agency in respect of CII and also prescribe the manner for such agency to perform its duties. In pursuance of the powers under sections 70A the government has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) situated in the JNU campus as the nodal agency [28]. This agency is a part of and under the administrative control of the National Technical Research Organisation (NTRO) [29].

2. The functions and manner of performing such functions by the NCIIPC has been prescribed in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013.[30] According to these Rules the functions of the NCIIPC include, inter alia, (i) the protecting and giving advice to reduce the vulnerabilities of CII against cyber terrorism, cyber warfare and other threats; (ii) identification of all critical infrastructure elements so that they can be notified by the government; (iii) providing strategic leadership and coherence across the government to respond to cyber security threats against CII; (iv) coordinating, sharing, monitoring, analysing and forecasting national level threats to CII for policy guidance, expertiese sharing and situational awareness for early warning alerts; (v) assisting in the development of appropriate plans, adoption of standards, sharing best practices and refinining procurement processes for CII; (vi) undertaking and funding research and development to innovate future technologies and collaborate with PSUs, academia and international partners for protection of CII; (vii) organising training and awareness programmes and development of audit and certification agencies for protection of CII; (viii) developing and executing national and international cooperation strategies for protection of CII; (ix) issuing guidelines, advisories and vulnerability notes relating to CII and practices, procedures, prevention and responses in consultation with CERT-In and other organisations; (x) exchanging information with CERT-In, especially in relation to cyber incidents; and (xi) calling for information and giving directions to critical sectors or persons having a critical impact on CII, in the event of any threat to CII.[31]

3. The NCIIPC had in the year 2013 released (non publicly) Guidelines for the Protection of National Critical Information Infrastructure [32] (CII Guidelines) which presented 40forty controls and respective guiding principles for the protection of CII. It is expected that these controls and guiding principles will help critical sectors to draw a CII protection roadmap to achieve safe, secure and resilient CII for India. The 'Guidelines for forty Critical Controls' is considered by the NCIIPC to be a significant milestone in its efforts for the protection of nation's critical information assets. These fort controls can be found in Section 6 (Best Practices, Controls and Guidelines) of the CII Guidelines. It must be noted that the CII Guidelines were drafted after taking inputs from a number of stakeholders such as the national Stock Exchange, the Airports Authority of India, National Thermal Power Corporation, Reserve Bank of India, Indian Railways, Telecom Regulatory Authority of India, Bharat Sanchar Nigam Limited, etc. This exercise of taking inputs from different stakeholders as well as developing a standard of as many as 40forty aspects of security seems to suggest that the NCIIPC is taking steps in the right direction.

4. The Recommendations on Telecommunication Infrastructure Policy issued by the Telecom Regulatory Authority of India in April, 2011 are silent on the issue of security of critical information infrastructure.s. However, the National Policy on Information Technology, 2012 (NPIT) does address the issue of security of cyber space by saying that the government should make efforts to do the following:

"9.1 To undertake policy, promotion and enabling actions for compliance to international security best practices and conformity assessment (product, process, technology & people) and incentives for compliance.

9.2 To promote indigenous development of suitable security techniques & technology through frontier technology research, solution oriented research, proof of concept, pilot development etc. and deployment of secure IT products/processes

9.3 To create a culture of cyber security for responsible user behavior & actions including building capacities and awareness campaigns.

9.4 To create, establish and operate an 'Information Security Assurance Framework'."

5. The Department of Information and Technology has formed the Computer Emergency Response Term of India (CERT-In) to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration. The Information Security Policy on Protection of Critical Infrastructure released by the CERT-In considers information recorded, processed or stored in electronic medium as a valuable asset and is geared towards protection of such "valuable asset". The policy recognises the importance of critical information infrastructure network and says that any disruption of the operation of such networks is likely to have devastating effects. The policy prescribes that personnel with program delivery responsibilities should also recognise the importance of security of information resources and their management. Thus Ddue to this recognition of the growing networked nature of government as well as critical organisations and the need to have a proper vulnerability analysis as well as effective management of information security risks, the Department of Technology prescribes the following information security policy:

"In order to reduce the risk of cyber attacks and improve upon the security posture of critical information infrastructure, Government and critical sector organizations are required to do the following on priority:

• Identify a member of senior management, as Chief Information Security Officer (CISO), knowledgeable in the nature of information security & related issues and designate him/her as a 'Point of contact', responsible for coordinating security policy compliance efforts and to regularly interact with the Indian Computer Emergency Response Team (CERT-In), Department of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security;
• Prepare information security plan and implement the security control measures as per ISI/ISO/IEC 27001: 2005 and other guidelines/standards, as appropriate;
• Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with criticality of business/functional requirements, likely impact on business/ functions and achievement of organisational goals/objectives;
• Periodically test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks. Especially, Test and evaluation may become necessary after each significant change to the IT applications/systems/networks and can include, as appropriate the following:

➢ Penetration Testing (both announced as well as unannounced)

➢ Vulnerability Assessment

➢ Application Security Testing

➢ Web Security Testing

• Carry out Audit of Information infrastructure on an annual basis and when there is major upgradation/change in the Information Technology Infrastructure, by an independent IT Security Auditing organization;..........

• Report to CERT-In the cyber security incidents, as and when they occur and the status of cyber security, periodically."

6. The Department of Electronics and Information Technology (DEITY) released the National Policy on Electronics in 2012 which contained the government's take on the electronics industry in India. Section 5 of the said policy talks about cCyber sSecurity and states that to create a complete secure cyber eco-system in the country, careful and due attention is required for creation of well-d defined technology and systems, use of appropriate technology and more importantly development of appropriate products and& solutions. The priorities for action should be suitable design and development of indigenous appropriate products through frontier technology/product oriented research, testing and& validation of security of products meeting the protection profile requirements needed to secure the ICT infrastructure and cyber space of the country.

7. In addition the CERT-In has issued an Information Security Management Implementation Guide for Government Organisations. [33] CERT-In has also prescribed progressive steps for implementation of Information Security Management System in Government & Critical Sectors as per ISO 27001. The steps prescribed are as follows:

• Identification of a Point-of-Contact (POC) / Chief Information Security Officer (CISO) for coordinating information security policy implementation efforts and communication with CERT-In
• Information Security Awareness Programme
• Determination of general Risk environment of the organization (low / medium / hHigh) depending on the nature of web and& networking environment, criticality of business functions and impact of information security incidents on the organization, business activities, assets / resources and individuals
• Status appraisal and gap analysis against ISO 27001 based best information security practices
• Risk assessment covering evaluation of threat perception and technical and &operational vulnerabilities
• Comprehensive risk mitigation plan including selection of appropriate information security controls as per ISO 27001 based best information security practices
• Documentation of agreed information security control measures in the form of information security policy manual, procedure manual and work instructions
• Implementation of information security control measures (Managerial, Technical and& operational)
• Testing & evaluation of technical information security control measures for their adequacy & effectiveness and audit of IT applications/systems/networks by an independent information security auditing organization (penetration testing, vulnerability assessment, application security testing, web security testing, LAN audits, etc)
• Information Security Management assessment and certification against ISO 27001 standard, preferably by an independent & accredited organization

8. The Unified License for providing various telecommunication services also discusses contains certain terms which talk about how to engagedeal with telecommunication infrastructure in light of national security, which include the following recommendations:

• Providing necessary facilities to the Government to counteract espionage, subversive act, sabotage or any other unlawful activity;
• Giving full access to its network and equipment to the authorised persons for technical scrutiny and inspection;
• Obtaininggettting security clearance for all foreign nationals deployed on for installation, operation and maintenance of the network;
• Being completely responsible for the security of its network and having organizational policy on security and security management of its network including Network forensics, Network Hardening, Network penetration test, Risk assessment;
• Auditing its network or getting the network audited from security point of view once in a financial year from a network audit and certification agency;
• Inducting only those network elements into its telecommunications network, which have been got tested according tos per relevant contemporary Indian or International Security Standards;
• Including all contemporary security related features (including communication security) as prescribed under relevant security standards while procuring the equipment and implementing all such contemporary features into the network;
• Keeping requisite records of operations in the network;
• Monitoring of all intrusions, attacks and frauds on his technical facilities and provide reports on the same to the Licensor.

Further statutory restrictions on tampering critical infrastructure are already contained in the Telegraph Act and have been discussed above, though the penalties provided may need to be increased if they are to act as a deterrent in this age where the stakes are much higher.

2h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty

There is yet to be a publicly acknowledged request from a foreign government asking the Indian government to take steps to prevent malicious ICT acts originating from its territory.

2i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

 

Section 4 of the National Electronics Policy, 2012 talks about "Developing and Mandating Standards" and says that in order to curb the inflow of sub-standard and unsafe electronic products the government should mandate technical and safety standards which conform to international standards and do the following:

• Develop Indian standards to meet specific Indian conditions including climatic, power supply, and handling and other conditions etc., by suitably reviewing existing standards.
• Mandate technical standards in the interest of public health and safety.
• Set up an institutional mechanism within Department of Information Technology for mandating compliance to standards for electronics products.
• Develop a National Policy Framework for enforcement and use of Standards and Quality Management Processes.
• Strengthen the lab infrastructure for testing of electronic products and encouraging development of conformity assessment infrastructure by private participation.
• Create awareness amongst consumers against sub-standard and spurious electronic products.
• Build capacity within the Government and public sector for developing and mandating standards.
• Actively participate in the international development of standards in the Electronic System Design and Manufacturing sector.

2j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure

Under section 70B of the IT Act, India has established a Computer Emergency Response Team (CERT-In) to serve as the national agency for incident responses. The functions mandated to be performed by CERT-In as per the IT Act are:

• Collection, analysis and dissemination of information on cyber incidents;
• Forecasting and alerts of cyber security incidents;
• Emergency measures for handling cyber security incidents;
• Coordination of cyber incidents response activities;
• Issuing ofe guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
• Such other functions relating to cyber security as may be prescribed.

CERT-In also publishes information regarding various cyber threats on its websites so as to keep internet users aware of the latest threats in the online world. Such information can be accessed both on the main page of the CERT-In website or under the Advisories section on the website. [34]

2k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cyber security incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

There are no official or public reports of India using its CERT-In to harm the information systems of another state, although it is highly unlikely that any state would publicly acknowledge such activities even if it was indulging in them.

3. Conclusion

As can be seen from the discussion above, the statutory, regulatory and policy regime in India does seem to address most of the cyber security norms in some manner or the other, but these efforts almost always fall short of meeting some of the norms. While the Information Technology Act along with the Rules thereunder, as being the umbrella legislation for digital transactions in India, does address some of the issues mentioned above, it does not address some of the problems that arise out of a greater reliance on the internet such as spamming, trolling, and, online harassment, etc. Although some of these acts may be addressed by regular legislation by applying them in the online world however this does not always take into account the unique features and complexities of committing these acts/crimes in the online world.

In the area of exchange of information between states, India has entered into a number of MLATs and extradition treaties, and frequently issues Letters of Rogatory. Yet however these mechanisms may not be adequate to address the needs of crime prevention of crimes in the age of ICT, as crime prevention it often requires exchange of information inon r a real time basis which is not possible with the bureaucratic procedures involved in the MLAT process. There also needsd to be stronger standards which are applicable to ICT equipment, including imported equipment especially in light of the fact that security concerns related to Chinese ICT equipment that from China have been raised quite frequently in the past. There also needs to be a better system of reporting ICT vulnerabilities to CERT-In or other authorized agencies so that mitigation measure can be implemented in time.

It should be noted that the work of the Group of Experts is not complete since the General Assembly has asked the Secretary General to form a new Group of Experts which would report back to the Secretary General in 2017. It is imperative that the Government of India realise the importance of the work being done by the Group of Experts and take measures to ensure that a representative from India is included in or atleast the comments and concerns of India are included and addressed by the Group of Experts. Meanwhile, India can begin by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security. Brutent force solutions such as demands for back doors, unfair and unreasonable encryption regulation, and data localization requirements will not help propel India forward in international discussions, dialogues, or agreements on cross-border sharing of information. Though the recommendations from the Group of Experts are welcome, beyond a preliminary mention of privacy and freedom of expression, the rights of individuals - and the ways in which these can be protected, various components that go into supporting those rights including redress, transparency, and due process measures - was inadequately addressed.

List of Acronyms

• ICTs – Information Communication Technologies
• GGE – Group of Experts
• EU – European Union
• DLC-ICT – India-Belarus Digital Learning Center
• IT Act – Information Technology Act, 2000
• UL - Unified License
• DEITY – Department of Electronics and Information Technology
• IT – Information Technology
• ISO – International Organization  for Standardisation
• CERT – Computer Emergency Response Team
• CERT-In - Computer Emergency Response Team, India
• MLAT – Mutual Legal Assistance Treaty
• CII – Critical Information Infrastructure
• NCIIPC - National Critical Information Infrastructure Protection Centre
• NTRO - National Technical Research Organisation
• NPIT - National Policy on Information Technology
• CISO - Chief Information Security Officer

The review was published in the Indian Express on August 6, 2016.

Book: Things That Can and Cannot Be Said
Authors: Arundhati Roy & John Cusack
Publication: Juggernaut
Pages: 132
Price: Rs 250

The title of the book — Things That Can and Cannot be Said — demands an imperative. It is as if Arundhati Roy and John Cusack, aware of their internal turmoil in dealing with a world that is rapidly becoming unintelligible, though not incomprehensible, are demanding an order where none exists. Hence, they are advocating for certainty and assurance, only to undermine it, ironically, through their own freely associative writing that mimics linear time and causative narrative. This deep-seated irony of needing to say something, but knowing that saying it is not going to shine a divining light on the sordid realities of the world that is being managed through the production of grand structures like valorous nation states, virtuous civil societies, the obsequious NGO-isation of radical action, and the persistent neutering of justice through the benign vocabulary of human rights, defines the oeuvre, the politics and the poetics of the book. Written like a scrap book, filled with excerpts from long conversations scattered over time and space, annotated by reminiscences of books read long ago that have seared their imprints on the mind, and events that are simultaneously platitudinous for their status as global landmarks and fiercely personal for the scars that they have left on the minds of the authors, the book remains an engaging, if a somewhat freewheeling, ride into a political critique that makes itself all the more palatable and disconcerting for the levity, irreverence and the dark sense of humour that accompanies it.

Composed in alternating chapters, the first half of the book is about Cusack and Roy laying themselves bare. They spare no words, square no edges, and put their personal, political and collective wounds on display with humble pride and proud humility. Cusack’s experience as a screenplay writer comes in handy — he rescues what could have been a long tirade, into a series of conversations. The familiar narratives are rehistoricised and de-territorialised, put into new contexts while eschewing the older ones, thus providing a large landscape that refers to state-sponsored genocide, structural reorganisation of nation states, the dying edge of political action, the overwhelming but invisible presence of capital, and the dithering state of social justice that treats human beings like things. Cusack, identifying the poetic genius of Roy, gives her centre stage, making her the voice in command.

Roy, for her part, seems to have enjoyed this moment in the soapbox — something that she has been doing quite effectively and provocatively to a national and global audience — and gives it her all. There are moments when the text feels indulgent, when the voice feels a little relentless, when the almost schizophrenic global and historical references become a litany of mixed-up events that might have required further nuance and deeper interpretation. However, the whimsical style of Roy’s narrative, with her sense of what is right, and her demeanour that remains friendly, curious and disarming, saves the text from being heavy handed, even when it does dissolve into cloying poignancy and makes you pause, just so that you can breathe.

Surprisingly, it is the second part of the book, where the two encounter Edward Snowden along with Daniel Ellsberg, the “Snowden of the 1960s” who had leaked the Pentagon papers, that falters. Snowden had jocularly mentioned that Roy was there to “radicalise him”. She does that, but in a way that doesn’t give us anything more than what we already know. While Cusack and Roy were committed to getting to know Snowden beyond his systems-man image, there wasn’t much that they could uncover, either in dialogue or in discourse, that could have told us more, endeared us further to possibly the most over-exposed person in recent times. However, one realises that the genius of the narrative is actually in reminding us how transparent Edward Snowden has become to us. We know all kinds of things about this young man — from his girlfriends past to his actions future, from his values and convictions to his opinion on the NSA watching people’s naked pictures — and yet, what has been missing in the Snowden files, has been the larger arc of global politics, social reordering, and perhaps, a glimpse of the post-nation future that Snowden might have seen in his act of whistleblowing that is going to remain the landmark moment that defines the rest of this century.

Once you have gotten over the fact that this is not a book about Snowden, the expectations are better tailored for what is to come, and suddenly, the long prelude to the meeting falls into place. Snowden matches Roy and Cusack in whimsy, irony, political conviction, and the sacred faith in human values that make you want to give them all a fierce hug of hesitant reassurance. What Snowden says, what Roy and Cusack make of it, and how they leave us, almost abruptly at the end, breathless, unnerved, and severely conflicted about some of the 20th century structures like society, activism, nation states, governance, communication, technologies, sharing and caring is what the book has to be read for. The tight screen-writing skills of Cusack meet the perfect timing of Roy’s prose, and all of it becomes surreal, futuristic and indelibly real when it gets anchored on the physical presence of Snowden, who, in exile, talks achingly of the home that has thrown him out and the home that he can never really call his own.

And while there are lapses — fragments, translations and evocations which might have needed more explanations to have their pedagogic intent shine through — there is no denying that, in all its flaws, much like the narrators, the book manages to first immerse you in the cold shock of a sobering reality, clearly positioning the apocalypse as the now, and then drags you out and wraps you up in a warm blanket, opening up forms of critique, formats of intervention, and functions of political commitment towards saying things that have and have not been said. The book should have, perhaps, been titled what could, would, should have been said, but can’t, won’t, shan’t be said — not because of anything else, but because it seems futile.

This was published in Digital Policy Portal on July 13, 2016.

Introduction

Last year, Mukul Rohatgi, the Attorney General of India, called into question existing jurisprudence of the last 50 years on the constitutional validity of the right to privacy.¹ Mohatgi was rebutting the arguments on privacy made against Aadhaar, the unique identity project initiated and implemented in the country without any legislative mandate.² The question of the right to privacy becomes all the more relevant in the context of events over the last few years—among them, the significant rise in data collection by the state through various e-governance schemes,³ systematic access to personal data by various wings of the state through a host of surveillance and law enforcement initiatives launched in the last decade,⁴ the multifold increase in the number of Indians online, and the ubiquitous collection of personal data by private parties.⁵

These developments have led to a call for a comprehensive privacy legislation in India and the adoption of the National Privacy Principles as laid down by the Expert Committee led by Justice AP Shah.⁶ There are privacy-protection legislation currently in place such as the Information Technology Act, 2000 (IT Act), which was enacted to govern digital content and communication and provide legal recognition to electronic transactions. This legislation has provisions that can safeguard—and dilute—online privacy. At the heart of the data protection provisions in the IT Act lies section 43A and the rules framed under it, i.e., Reasonable security practices and procedures and sensitive personal data information.⁷Section 43A mandates that body corporates who receive, possess, store, deal, or handle any personal data to implement and maintain ‘reasonable security practices’, failing which, they are held liable to compensate those affected. Rules drafted under this provision also mandated a number of data protection obligations on corporations such the need to seek consent before collection, specifying the purposes of data collection, and restricting the use of data to such purposes only. There have been questions raised about the validity of the Section 43A Rules as they seek to do much more than mandate in the parent provisions, Section 43A— requiring entities to maintain reasonable security practices.

Privacy as control?

Even setting aside the issue of legal validity, the kind of data protection framework envisioned by Section 43A rules is proving to be outdated in the context of how data is now being collected and processed. The focus of Section 43 A Rules—as well as that of draft privacy legislations in India⁸—is based on the idea of individual control. Most apt is Alan Westin’s definition of privacy: “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.”⁹ Westin and his followers rely on the normative idea of “informational self- determination”, the notion of a pure, disembodied, and atomistic self, capable of making rational and isolated choices in order to assert complete control over personal information. More and more this has proved to be a fiction especially in a networked society.

Much before the need for governance of information technologies had reached a critical mass in India, Western countries were already dealing with the implications of the use of these technologies on personal data. In 1973, the US Department of Health, Education and Welfare appointed a committee to address this issue, leading to a report called ‘Records, Computers and Rights of Citizens.’¹⁰ The Committee’s mandate was to “explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number.” The Report articulated five principles which were to be the basis of fair information practices: transparency; use limitation; access and correction; data quality; and security. Building upon these principles, the Committee of Ministers of the Organization for Economic Cooperation and Development (OECD) arrived at the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980.¹¹ These principles— Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability—are what inform most data protection regulations today including the APEC Framework, the EU Data Protection Directive, and the Section 43A Rules and Justice AP Shah Principles in India.

Fred Cate describes the import of these privacy regimes as such:

“All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals’ expressed preferences”¹²

This is in line with Alan Westin’s idea of privacy exercised through individual control. Therefore the focus of these principles is on empowering the individuals to exercise choice, but not on protecting individuals from harmful or unnecessary practices of data collection and processing. The author of this article has earlier written¹³ about the sheer inefficacy of this framework which places the responsibility on individuals. Other scholars like Daniel Solove,¹⁴ Jonathan Obar¹⁵ and Fred Cate¹⁶ have also written about the failure of traditional data protection practices of notice and consent. While these essays dealt with the privacy principles of choice and informed consent, this paper will focus on the principles of purpose limitation.

Purpose Limitation and Impact of Big Data

The principles of purpose limitation or purpose specification seeks to ensure the following four objectives:

1. Personal information collected and processed should be adequate and relevant to the purposes for which they are processed.
2. The entities collect, process, disclose, make available, or otherwise use personal information only for the stated purposes.
3. In case of change in purpose, the data’s subject needs to be informed and their consent has to be obtained.
4. After personal information has been used in accordance with the identified purpose, it has to be destroyed as per the identified procedures.

The purpose limitation along with the data minimisation principle—which requires that no more data may be processed than is necessary for the stated purpose—aim to limit the use of data to what is agreed to by the data subject. These principles are in direct conflict with new technology which relies on ubiquitous collection and indiscriminate uses of data. The main import of Big Data technologies on the inherent value in data which can be harvested not by the primary purposes of data collection but through various secondary purposes which involve processing of the data repeatedly.¹⁷Further, instead to destroying the data when its purpose has been achieved, the intent is to retain as much data as possible for secondary uses. Importantly, as these secondary uses are of an inherently unanticipated nature, it becomes impossible to account for it at the stage of collection and providing the choice to the data subject.

Followers of the discourse on Big Data would be well aware of its potential impacts on privacy. De-identification techniques to protect the identities of individuals in dataset face a threat from an increase in the amount of data available either publicly or otherwise to a party seeking to reverse-engineer an anonymised dataset to re-identify individuals. ¹⁸ Further, Big Data analytics promise to find patterns and connections that can contribute to the knowledge available to the public to make decisions. What is also likely is that it will lead to revealing insights about people that they would have preferred to keep private.¹⁹In turn, as people become more aware of being constantly profiled by their actions, they will self-regulate and ‘discipline’ their behaviour. This can lead to a chilling effect.²⁰ Meanwhile, Big Data is also fuelling an industry that incentivises businesses to collect more data, as it has a high and growing monetary value. However, Big Data also promises a completely new kind of knowledge that can prove to be revolutionary in fields as diverse as medicine, disaster-management, governance, agriculture, transport, service delivery, and decision-making.²¹ As long as there is a sufficiently large and diverse amount of data, there could be invaluable insights locked in it, accessing which can provide solutions to a number of problems. In light of this, it is important to consider what kind of regulatory framework is most suitable which could facilitate some of the promised benefits of Big Data and at the same time mitigate its potential harm. This, coupled with the fact that the existing data protection principles have, by most accounts, run their course, makes the examination of alternative frameworks even more important. This article will examine some alternate proposals made to the existing framework of purpose limitation below.

Harms-based approach

Some scholars like Fred Cate²² and Daniel Solove²³ have argued that there is a need for the primary focus of data protection law to move from control at the stage of data collection to actual use cases. In his article on the failure of Fair Information Practice Principles,²⁴Cate puts forth a proposal for ‘Consumer Privacy Protection Principles.’ Cate envisions a more interventionist role of the data protection authorities by regulating information flows when required, in order to protect individuals from risky or harmful uses of information. Cate’s attempt is to extend the principles of consumer protection law of prevention and remedy of harms.

In a re-examination of the OECD Privacy Principles, Cate and Viktor Mayer Schöemberger attempt to discard the use of personal data to only purposes specified. They felt that restricting the use of personal to only specified purposes could significantly threaten various research and beneficial uses of Big Data. Instead of articulating a positive obligations of what personal data collected could be used for, they attempt to arrive at a negative obligation of use-cases prevented by law. Their working definition of the Use specification principle broaden the scope of use cases by only preventing use of data “if the use is fraudulent, unlawful, deceptive or discriminatory; society has deemed the use inappropriate through a standard of unfairness; the use is likely to cause unjustified harm to the individual; or the use is over the well-founded objection of the individual, unless necessary to serve an over-riding public interest, or unless required by law.”²⁵

While most standards in the above definition have established understanding in jurisprudence, the concept of unjustifiable harm is what we are interested in. Any theory of harms-based approach goes back to John Stuart Mill’s dictum that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. Therefore, any regulation that seeks to control or prevent autonomy of individuals (in this case, the ability of individuals to allow data collectors to use their personal data, and the ability of data collectors to do so, without any limitation) must clearly demonstrate the harm to the individuals in question.

Fred Cate articulates the following steps to identify tangible harm and respond to its presence:²⁶

1. Focus on Use — Actual use of the data should be considered, not mere possession. The assumption is that the collection, possession, or transfer of information do not significantly harm people, rather it is the use of information following such collection, possession, or transfer.
2. Proportionality — Any regulatory measure must be proportional to the likelihood and severity of the harm identified.
3. Per se Harmful Uses — Uses which are always harmful must be prohibited by law
4. Per se not Harmful Uses — If uses can be considered inherently not harmful, they should not be regulated.
5. Sensitive Uses — In case where the uses are not per se harmful or not harmful, individual consent must be sought for using that data for those purposes.

The proposal by Cate argues for what is called a ‘use based system’, which is extremely popular with American scholars. Under this system, data collection itself is not subject to restrictions; rather, only the use of data is regulated. This argument has great appeal for both businesses who can reduce their overheads significantly if consent obligations are done away with as long as they use the data in ways which are not harmful, as well as critics of the current data protection framework which relies on informed consent. Lokke Moerel explains the philosophy of ‘harms based approach’ or ‘use based system’ in United States by juxtaposing it against the ‘rights based approach’ in Europe.²⁷ In Europe, rights of individuals with regard to processing of their personal data is a fundamental human right and therefore, a precautionary principle is followed with much greater top-down control upon data collection. However, in the United States, there is a far greater reliance on market mechanisms and self-regulating organisations to check inappropriate processing activities, and government intervention is limited to cases where a clear harm is demonstrable.²⁸

Continuing research by the Centre for Information Policy Leadership under its Privacy Risk Framework Project looks at a system of articulating what harms and risks arising from use of collected data. They have arrived a matrix of threats and harms. Threats are categorised as —a) inappropriate use of personal information and b) personal information in the wrong hands. More importantly for our purposes, harms are divided into: a) tangible harms which are physical or economic in nature (bodily harm, loss of liberty, damage to earning power and economic interests); b) intangible harms which can be demonstrated (chilling effects, reputational harm, detriment from surveillance, discrimination and intrusion into private life); and c) societal harm (damage to democratic institutions and loss of social trust).²⁹For any harms-based system, a matrix like above needs to emerge clearly so that regulation can focus on mitigating practices leading to the harms.

Legitimate interests

Lokke Moerel and Corien Prins, in their article “Privacy for Homo Digitalis – Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”³⁰ use the ideal of responsive regulation which considers empirically observable practices and institutions while determining the regulation and enforcement required. They state that current data protection frameworks—which rely on mandating some principles of how data has to be processed—is exercised through merely procedural notification and consent requirements. Further, Moerel and Prins feel that data protection law cannot only involve a consideration of individual interest but also needs to take into account collective interest. Therefore, the test must be a broader assessment than merely the purpose limitation articulating the interests of the parties directly involved, but whether a legitimate interest is achieved.

Legitimate interest has been put forth as an alternative to the purpose limitation. Legitimate is not a new concept and has been a part of the EU Data Protection Directive and also finds a place in the new General Data Protection Regulation. Article 7 (f) of the EU Directive³¹ provided for legitimate interest balanced against the interests or fundamental rights and freedoms of the data subject as the last justifiable reason for use of data. Due to confusion in its interpretation, the Article 29 Working Party, in 2014,³²looked into the role of legitimate interest and arrived at the following factors to determine the presence of a legitimate interest— a) the status of the individual (employee, consumer, patient) and the controller (employer, company in a dominant position, healthcare service); b) the circumstances surrounding the data processing (contract relationship of data subject and processor); c) the legitimate expectations of the individual.

Federico Ferretti has criticised the legitimate interest principle as vague and ambiguous. The balancing of legitimate interest in using the data against fundamental rights and freedoms of the data subject gives the data controllers some degree of flexibility in determining whether data may be processed; however, this also reduces the legal certainty that data subject have of their data not being used for purposes they have not agreed to.³³However, it is this paper’s contention that it is not the intent of the legitimate interest criteria but the lack of consensus on its application which creates an ambiguity. Moerel and Prins articulate a test for using legitimate interest which is cognizant of the need to use data for the purpose of Big Data processing, as well as ensuring that the rights of data subjects are not harmed.

As demonstrated earlier, the processing of data and its underlying purposes have become exceedingly complex and the conventional tool to describe these processes ‘privacy notices’ are too lengthy, too complex and too profuse in numbers to have any meaningful impact.³⁴The idea of information self-determination, as contemplated by Westin in American jurisprudence, is not achieved under the current framework. Moerel and Prins recommend five factors³⁵ as relevant in determining the legitimate interest. Of the five, the following three are relevant to the present discussion:

1. Collective Interest — A cost-benefit analysis should be conducted, which examines the implications for privacy for the data subjects as well as the society, as a whole.
2. The nature of the data — Rather than having specific categories of data, the nature of data needs to be assessed contextually to determine legitimate interest.
3. Contractual relationship and consent not independent grounds — This test has two parts. First, in case of contractual relationship between data subject and data controller: the more specific the contractual relationship, the more restrictions apply to the use of the data. Second, consent does not function as a separate principle which, once satisfied, need not be revisited. The nature of the consent (opportunities made available to data subject, opt in/opt out, and others) will continue to play a role in determining legitimate interest.

Conclusion

Replacing the purpose limitation principles with a use-based system as articulated above poses the danger of allowing governments and the private sector to carry out indiscriminate data collection under the blanket guise that any and all data may be of some use in the future. The harms-based approach has many merits and there is a stark need for more use of risk assessments techniques and privacy impact assessments in data governance. However, it is important that it merely adds to the existing controls imposed at data collection, and not replace them in their entirety. On the other hand, the legitimate interests principle, especially as put forth by Moerel and Prins, is more cognizant of the different factors at play — the inefficacy of existing purpose limitation principles, the need for businesses to use data for purposes unidentified at the stage of collection, and the need to ensure that it is not misused for indiscriminate collection and purposes. However, it also poses a much heavier burden on data controllers to take into account various factors before determining legitimate interest. If legitimate interest has to emerge as a realistic alternative to purpose limitation, there needs to be greater clarity on how data controllers must apply this principle.

Endnotes

1. Prachi Shrivastava, “Privacy not a fundamental right, argues Mukul Rohatgi for Govt as Govt affidavit says otherwise,” Legally India, Jyly 23, 2015, http://www.legallyindia.com/Constitutional-law/privacy-not-a-fundamental-right-argues-mukul-rohatgi-for-govt-as-govt-affidavit-says-otherwise.
2.  Rebecca Bowe, “Growing Mistrust of India’s Biometric ID Scheme,” Electronic Frontier Foundation, May 4, 2012, https://www.eff.org/deeplinks/2012/05/growing-mistrust-india-biometric-id-scheme.
3. Lisa Hayes, “Digital India’s Impact on Privacy: Aadhaar numbers, biometrics, and more,” Centre for Democracy and Technology, January 20, 2015, https://cdt.org/blog/digital-indias-impact-on-privacy-aadhaar-numbers-biometrics-and-more/.
4. “India’s Surveillance State,” Software Freedom Law Centre, http://sflc.in/indias-surveillance-state-our-report-on-communications-surveillance-in-india/.
5. “Internet Privacy in India,” Centre for Internet and Society, http://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india.
6. Vivek Pai, “Indian Government says it is still drafting privacy law, but doesn’t give timelines,” Medianama, May 4, 2016, http://www.medianama.com/2016/05/223-government-privacy-draft-policy/.
7. Information Technology (Intermediaries Guidelines) Rules, 2011,
   http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.
8. Discussion Points for the Meeting to be taken by Home Secretary at 2:30 pm on 7-10-11 to discuss the drat Privacy Bill, http://cis-india.org/internet-governance/draft-bill-on-right-to-privacy.
9. Alan Westin, Privacy and Freedom (New York: Atheneum, 2015).
10. US Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, http://www.justice.gov/opcl/docs/rec-com-rights.pdf.
11. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
12. Fred Cate, “The Failure of Information Practice Principles,” in Consumer Protection in the Age of the Information Economy, ed. Jane K. Winn (Burlington: Aldershot, Hants, England, 2006) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972.
13. Amber Sinha and Scott Mason, “A Critique of Consent in Informational Privacy,” Centre for Internet and Society, January 11, 2016, http://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy.
14. Daniel Solove, “Privacy self-management and consent dilemma,” Harvard Law Review 126, (2013): 1880.
15. Jonathan Obar, “Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management,” Big Data and Society 2(2), (2015), doi: 10.1177/2053951715608876.
16. Supra Note 12.
17. Supra Note 14.
18. Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006; Arvind Narayanan and Vitaly Shmatikov, “Robust De-anonymization of Large Sparse Datasets” available at https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
19. D. Hirsch, “That’s Unfair! Or is it? Big Data, Discrimination and the FTC’s Unfairness Authority,” Kentucky Law Journal, Vol. 103, available at: http://www.kentuckylawjournal.org/wp-content/uploads/2015/02/103KyLJ345.pdf
20. A Marthews and C Tucker, “Government Surveillance and Internet Search Behavior”, available at http://ssrn.com/abstract=2412564; Danah Boyd and Kate Crawford, “Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon”, Information, Communication & Society, Vol. 15, Issue 5, (2012).
21. Scott Mason, “Benefits and Harms of Big Data”, Centre for Internet and Society, available at http://cis-india.org/internet-governance/blog/benefits-and-harms-of-big-data#_ftn37.
22. Cate, “The Failure of Information Practice Principles.”
23. Solove, “Privacy self-management and consent dilemma,” 1882.
24. Cate, “The Failure of Information Practice Principles.”
25. Fred Cate and Viktor Schoenberger, “Notice and Consent in a world of Big Data,” International Data Privacy Law 3(2), (2013): 69.
26. Solove, “Privacy self-management and consent dilemma,” 1883.
27. Lokke Moerel, “Netherlands: Big Data Protection: How To Make The Draft EU Regulation On Data Protection Future Proof”, Mondaq, March 11. 2014, http://www.mondaq.com/x/298416/data+protection/Big+Data+Protection+How+To+Make+The+Dra%20ft+EU+Regulation+On+Data+Protection+Future+Proof%20al%20Lecture.
28. Moerel, “Netherlands: Big Data Protection.”
29. Centre for Information Policy Leadership, “A Risk-based Approach to Privacy: Improving Effectiveness in Practice,” Hunton and Williams LLP, June 19, 2014, https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf.
30. Lokke Moerel and Corien Prins, “Privacy for Homo Digitalis: Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”, Social Science Research Network, May 25, 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123.
31. EU Directive 95/46/EC – The Data Protection Directive, https://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm.
32. Article 29 Data Protection Working Party, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,” http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.
33. Frederico Ferretti, “Data protection and the legitimate interest of data controllers: Much ado about nothing or the winter of rights?,” Common Market Law Review 51(2014): 1-26. http://bura.brunel.ac.uk/bitstream/2438/9724/1/Fulltext.pdf.
34. Sinha and Mason, “A Critique of Consent in Informational Privacy.”
35. Moerel and Prins, “Privacy for Homo Digitalis.”

The most recent report, Developments in the Field of Information and Telecommunications in the Context of International Security, was published in June 2015. The 2015 Report touches upon a number of issues, including international cooperation, norms and principles for responsible state behavior, confidence building measures cross border  exchange of information, and capacity building measures.

Annual reports will continue to be accepted by the General Assembly, and the 2016/2017 Group of Governmental Experts will have it's first meeting in August 2016.  India was a member of the Group of Governmental Experts in 2013.

The Centre for Internet and Society (CIS) has written an article analyzing India’s alignment with the recommendations of the report of the Group of Governmental Experts. This policy brief attempts to articulate the major policy actions that may be considered by India to further incorporate and implement the principles enunciated in the Report.

CIS believes that the report of the Group of Governmental Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Governmental Experts and similar international forums are useful and important forums for India to continue to actively engage with.

Below are our specific recommendations:

(a) Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;

India has entered into treaties on ICT issues with countries such as Belarus, Canada, China, Egypt, and France. Additionally, India’s IT Act addresses a number of  the cyber crimes listed in the Budapest Convention. However, India is not yet a signatory to the Convention. This leaves scope for India to consider further forums and means of international cooperation to better realise this principle.

India has been invited to accede to the Budapest Convention in the past but for various tactical and political reasons has not yet agreed to do so. Although whether to accede to an International Convention or not is usually a well discussed and thought out policy decision of the diplomatic core of a country, the mutual assistance framework, however flawed it may be, would offer a better opportunity for India for international cooperation for increasing the stability and security of ICTs and prevent harmful ICT practices as envisaged in the Report of the Group of Governmental Experts.

(b) In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution [of cybercrime] in the ICT environment and the nature and extent of the consequences;

While the Department of Electronics and Information Technology (DEITY) as well as the Computer Emergency Response Team, India (CERT-In) have a number of policies which talk about maintaining security and means of addressing threats in the ICT environment, most ICT incidents, crimes or illegal activities using ICT, unless they involve large or government institutions, are handled by the regular police establishment of the country. The lack of capacity, both in terms of infrastructure and skill, of the regular police to adequately address most cyber crimes is an area that needs to be strengthened. The need for cyber security capacity building in India was highlighted in 2015 by the Standing Committee on Information Technology.   It would be useful for dedicated cyber crime departments to be established in all districts. This would be a step in the right direction to provide the requisite capacity and resources to deal with the various technical issues such as attribution, jurisdiction, etc. arising out of ICT incidents.

(d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;

Owing to the growing irrelevance of physical and political borders in the age of globally networked devices, one of the most important issues arising out of ICTs and cyber crimes is the need for greater and more efficient exchange of information between nations. It has been widely accepted that sharing of information on a regular and sustained basis between nation states would be a very important tool. Limitations in the traditional mechanisms (MLATs, Letters Rogatory, etc.) such as the delay in accessing the information as well as denial of access due to differences in legal standards, present  hurdles to the efficacy of law enforcement agencies only emphasize the urgency of developing a new mechanism of international information sharing that would be able to deal with ICT incidents, while at the same time protecting the freedoms and privacy rights of the citizens of the world. Exploration and participation in dialogues and solutions that are evolving at the international level around cross border sharing of information is key.

(i) States should take reasonable steps to ensure the integrity of the supply chain [of ICT equipment] so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

While the National Electronics Policy of 2012 states that the government should mandate technical and safety standards in order to curb the inflow of sub-standard and unsafe electronic products, the government is yet to mandate any broad standards in the Indian market for ICT equipment. Considering the enormous security implications of compromised ICT this is an area where the government should prioritize and must act immediately. Mandating standards may require the establishment of a monitoring or enforcement mechanism to ensure that the standards are being implemented. This should be done with the aim of ensuring security while not hindering innovation or the flow of business. To achieve such a balance, research and discussion is needed within the government to formulate a mechanism which would ensure the safety and quality of ICT tools while at the same time ensuring that industry is not hindered.

Conclusion

The suggestions given above are some of the major lessons from the analysis of the UN Report on ICT which CIS believe the government of India could adopt and pursue to strengthen its enlightenment with the recommendations of the Report. It is also imperative that the Government of India continues to realise the importance of the work being done by the Group of Governmental Experts and take measures to ensure that a representative from India is included in future Groups. Meanwhile, India can take positive steps by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security.

Report: Download (PDF)

This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

• Procedural issues with passage of the Act
• Status of related litigation

3. National Identity Projects in Other Jurisdictions

• Pakistan
• United Kingdom
• Estonia
• France
• Argentina

4. Technologies of Identification and Authentication

• Use of Biometric Information for Identification and Authentication
• Architectures of Identification
• Security Infrastructure of CIDR

5. Aadhaar for Welfare?

• Social Welfare: Modes of Access and Exclusion
• Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A Workshop Agenda

Annexure B Workshop Participants

1. Brief Background of the UID Project

In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes.  The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Act”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.

The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.

2. Legal Status of the UIDAI Project

In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.

Procedural Issues with Passage of the Act

The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.

The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. [1].

where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”

However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.

Status of Related Litigation

A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of KS Puttuswamy v. Union of India [2] which limited the use of Aadhaar. We have reproduced the presentation below.

• KS Puttuswamy v. Union of India - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.
• Sudhir Vombatkere & Bezwada Wilson [3] - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.
• Aruna Roy & Nikhil Dey [4] - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:
• Col. Mathew Thomas [5] - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).
• Nagrik Chetna Manch [6] - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial inclusion.
• S. Raju [7] - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.
• Beghar Foundation - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.
• Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.
• Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.
• Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.
• Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.

Relevant Orders of the Supreme Court

There are six orders of the Supreme Court which are noteworthy.

• Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.
• Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.
• Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of UIDAI v CBI [8] wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.
• Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.
• Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and  the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.
• Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI,  CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of  the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.

Status of these orders
The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory.  Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.

3. National Identity Projects in Other Jurisdictions

A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.

Pakistan

The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:

• Voting
• Obtaining a passport
• Purchasing vehicles and land
• Obtaining a driver licence
• Purchasing a plane or train ticket
• Obtaining a mobile phone SIM card
• Obtaining electricity, gas, and water
• Securing admission to college and other post-graduate institutes
• Conducting major financial transactions

Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)

United Kingdom

The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”

Estonia

The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:

• As a national ID card for legal travel within the EU for Estonian citizens
• As the national health insurance card
• As proof of identification when logging into bank accounts from a home computer
• For digital signatures
• For i-voting
• For accessing government databases to check one’s medical records, file taxes, etc.
• For picking up e-Prescriptions
• (This system is also operational in the country and has not been removed)

France

The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.

Argentina

Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)

4. Technologies of Identification and Authentication

The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.

Use of Biometric Information for Identification and Authentication

The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.

Architectures of Identification

The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.

Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.

The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.

The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.

Under the UID Project, for the purpose of information security, Authentication User Agencies (“AUA”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.

All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.

Security Infrastructure of CIDR

The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.

The security and privacy infrastructure of UIDAI has the following main features:

• 2048 bit PKI encryption of biometric data in transit
• End-to-end encryption from enrolment/POS to CIDR
• HMAC based tamper detection of PID blocks
• Registration and authentication of AUAs
• Within CIDR only a SHA 1 Hash of Aadhaar number is stored
• Audit trails are stored SHA 1 encrypted. Tamper detection?
• Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)
• Authentication requests have unique session keys and HMAC
• Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys
• All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)
• All accesses through a hardware security module
• All analytics carried out on anonymised data

The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI.  This indicates that trust is implicitly assumed which is a glaring design flaw.  There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.

The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.

5. Aadhaar for Welfare?

The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.

Social Welfare: Modes of Access and Exclusion

Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries [9]. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.

Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.

In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.

The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.

• It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.
• The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.

A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.

Financial Inclusion and Direct Benefits Transfer

The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.

The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.

6. Surveillance and UIDAI

The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.

There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.

It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.

7. Strategies for Future Action

The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.

• Prepare and compile an anthology of articles as an output of this workshop.
• Prepare position papers on specific issues related to the UID Project
• Prepare pamphlets/brochures on issues with the UID Project for public consumption
• Prepare counter-advertisements for Aadhaar
• Publish existing empirical evidence on the flaws in Aadhaar.
• Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.
• Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.
• Create groups dedicated to research and advocacy of specific aspects of the UID Project.
• Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.
• Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance.
• The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project
• Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.
• Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues.
• Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project.
• Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media.
• Plan a national social audit and public hearing on the working of UID Project in the country.
• File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court.
• Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.
• Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.

Annexure A – Workshop Agenda

May 26, 2016

May 27, 2016

Annexure B – Workshop Participants

Anjali Bhardwaj, Satark Nagrik Sangathan

Dr. Anupam Saraph

Arjun Jayakumar, Software Freedom Law Centre

Ashok Rao, Delhi Science Forum

Prof. Chinmayi Arun, National Law University, Delhi

Prof. Dinesh Abrol, Jawaharlal Nehru University

Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai

Dr. Gopal Krishna, Citizens Forum for Civil Liberties

Prof. Himanshu, Jawaharlal Nehru University

Japreet Grewal, the Centre for Internet and Society

Joshita Pai, National Law University, Delhi

Malini Chakravarty, Centre for Budget and Governance Accountability

Col. Mathew Thomas

Prof. MS Sriram, Indian Institute of Management, Bangalore

Nikhil Dey, Mazdoor Kisan Shakti Sangathan

Prabir Purkayastha, Knowledge Commons and Free Software Movement of India

Pukhraj Singh, Bhujang

Rajiv Mishra, Jawaharlal Nehru University

Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai

Dr. Reetika Khera, Indian Institute of Technology, Delhi

Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali

S. Prasanna, Advocate

Sanjay Kumar, Science Journalist

Sharath, Software Freedom Law Centre

Shivangi Narayan, Jawaharlal Nehru University

Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi

Sumandro Chattapadhyay, the Centre for Internet and Society

Dr. Usha Ramanathan, Legal Researcher

Note: This list is only indicative, and not exhaustive.

[1] Civil Appeal No. 4853 of 2014

[2] WP(C) 494/2012

[3] . WP(C) 829/2013

[4] WP(C) 833/2013

[5] WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)

[6] WP (C) 932/2015

[7] Transferred from Madras HC 2013.

[8] SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.

[9] See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners

The article was published in the Hindustan Times on August 31, 2016.

WhatsApp clarifies in its blog post, “... by coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook’s systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them.”

WhatsApp’s further clarifies that it will not post your number on Facebook or share this data with advertisers. This means little because it will share your number with Facebook for advertisement. It is simply doing indirectly, what it has said it won’t do directly. This new development also leads to the collapsing of different personae of a user, even making public their private life that they have so far chosen not to share online. Last week, Facebook published a list of 98 data points it collects on users. These data points combined with your WhatsApp phone number, profile picture, status message, last seen status, frequency of conversation with other users, and the names of these users (and their data) could lead to a severely uncomfortable invasion of privacy.

Consider a situation where you have spoken to a divorce lawyer in confidence over WhatsApp’s encrypted channel, and are then flooded with advertisements for marriage counselling and divorce attorneys when you next log in to Facebook at home. Or, you are desperately seeking loans and get in touch with several loan officers; and when you log in to Facebook at work, colleagues notice your News Feed flooded with ads for loans, articles on financial management, and support groups for people in debt.

It is no secret that Facebook makes money off interactions on its platform, and the more information that is shared and consumed, the more Facebook is benefitted. However, the company’s complete disregard for user consent in its efforts to grow is worrying, particularly because Facebook is a monopoly. In order for one to talk to friends and family and keep in touch, Facebook is the obvious, if not the only, choice. It is also increasingly becoming the most accessible way to engage with government agencies. For example, Indian embassies around the world have recently set up Facebook portals, the Bangalore Traffic Police is most easily contacted through Facebook, and heads of states are also turning to the platform to engage with people. It is crucial that such private and collective interactions of citizens with their respective government agencies are protected from becoming data points to which market researchers have access.

Given Facebook’s proclivity for unilaterally compromising user privacy, the Federal Trade Commission (FTC) in 2011 charged the company for deceiving consumers by misleading them about the privacy of their information. Following these charges, Facebook reached an agreement to give consumers clear notice and obtain consumers’ express consent before extending privacy settings that they had established. The latest modification to WhatsApp’s terms of service seems to amount to a clear violation of this agreement and brings out the grave need to treat user consent more seriously.

There is a way to opt out of sharing data for Facebook ads targeting that is outlined by WhatsApp on its blog, which is the best example for a case of invasion-of-privacy-by-design. WhatsApp plans to ask the users to untick a small green arrow, and then click on a large green button that says “Agree” (which is the only button) so as to indicate that they are opting-out. The interface of the notice seems to be consciously designed to confuse users by using the power of default option. For most users, agreeing to terms and conditions is a hasty click on a box and the last part of an installation process. Predictably, most users choose to go with default options, and this specific design of the opt-out option is not meaningful at all.

In 2005, Facebook’s default profile settings were such that anyone on Facebook could see your name, profile picture, gender and network. Your photos, wall posts and friends list were viewable by people in your network. Your contact information, birthday and other data could be seen by friends and only you could view the posts that you liked. Fast forward to 2010, and the entire internet, not just all Facebook users, can see your name, profile picture, gender, network, wall posts, photos, likes, friends list and other profile data. There hasn’t been a comprehensive study since 2010, but one can safely assume that Facebook’s privacy settings will only get progressively worse for users, and exponentially better for Facebook’s revenues. The service is free and we truly are the product being sold.

The blog post was first published in Global Voices on September 5, 2016.

Netizens who regularly use these and similar services have become anxious about what the rule may mean for them. Last week, a new legal notice concerning copyright violations sparked widespread rumors that users could be penalized for simply viewing torrent sites.

The notice now appears when one visits any of the banned websites. It reads:

This URL has been blocked under the instructions of the Competent Government Authority or in compliance with the orders of a Court of competent jurisdiction. Viewing, downloading, exhibiting or duplicating an illicit copy of the contents under this URL is punishable as an offence under the laws of India, including but not limited to under Sections 63, 63-A, 65 and 65-A of the Copyright Act, 1957 which prescribe imprisonment for 3 years and also fine of upto Rs. 3,00,000/-. Any person aggrieved by any such blocking of this URL may contact at [email protected] who will, within 48 hours, provide you the details of relevant proceedings under which you can approach the relevant High Court or Authority for redressal of your grievance.

Soon after news of the notice began to circulate, the Chennai High Court – one of the oldest courts in India — issued a John Doe order to block as many as 830 websites, including several torrent websites such as thepiratebay.se, torrenthound.com, and kickasstorrents.come.in.

This is not the first time India has put a blanket ban on such sites. In December 2014, 32 websites — including including code repository Github, video streaming sites Vimeo and Dailymotion, online archive Internet Archive, free software hosting site Sourceforge — were banned in India. They were later unblocked after agreeing to remove some ISIS-related content.

As they have in the past, tech-savvy netizens began suggesting hacks to mask or fake one's IP address. Sumiteshwar Choudhary, a practicing criminal and matrimony lawyer, described on Quora how the law had existed for quite some time but the government had never fully enforced it:

[..] The only reason that India has not been able to successfully ban these services is because the servers rest outside India and we don’t have any law to extend our jurisdiction to that extent today. As an end user if you download a pirated version of things you are not entitled to, you can be booked criminally under this Act and can face prison for up to 2 years…

Twitter user Prisma Mama Thakur criticized the ban, arguing that it should be a low priority in a moment when India has many other important problems to solve:

The article was published in Economic & Political Weekly Vol. 51, Issue No. 36, September 3, 2016.

While I am not a statistician, I have followed the technical debate between Hans Verghese Mathews and the UIDAI closely, and see a number of glaring errors in the latter’s so-called rebuttal in EPW (March 12, 2016).

The UIDAI alleges Mathews to have ignored the evidence that the Receiver Operating Characteristic (ROC) "flattens" with more factors. However, Mathews cannot be accused of ignorance if the flattening of the ROC is not relevant to his argument. To explain this in simple terms, the ROC curve is used to choose the appropriate "threshold distance" which determines false positives and false negatives, and belongs to a stage which precedes the estimation of the false positive identification rates (FPIR).

However, Mathews has used the FPIR estimates provided by the UIDAI (based on evidence from the enrolment of 84 million persons), and calculated how the FPIR changes when extrapolated for a population of 1.2 billion persons. In other words, he did not need to look at the ROC curve as that factor is not relevant to his argument, since he has used UIDAI data (which has presumably been estimated on the basis of all 12 factors : 10 fingerprints and 2 irises).

Further, UIDAI asks why Mathews has assumed a linear curve for his extrapolation. Mathews has done no such thing. In fact, in their paper "Role of Biometric Technology in Aadhaar Enrollment," the UIDAI states: "FPIR rate grows linearly with the database size" (nd, 19). Thus, this is an assumption formerly made by them (without providing rationale for it to be a linear curve as opposed to anything else).  Mathews mathematically derives bounds for the FPIR in his paper, that is, the range within which the FPIR lies. One gets a linear curve only if they use the upper bound and not on the usage of anything else. So while Mathews does, as he explains, provide the results of the calculation based on the upper bound for the sake of simplicity, he nowhere asserts nor assumes a linear curve.

If, as the UIDAI claims, one cannot perform such an extrapolation and needs to depend on “empirical evidence” instead, the question arises as to how the UIDAI decided to scale up the programme to 1.3 billion people given the error rates. One could also ask if the machines being used to capture biometrics are good enough for the enlargement. Surely they would have performed some extrapolations to decide this.

In their paper they note that "although it [FPIR] is expected to grow as the database size increases, it is not expected to exceed manageable values even at full enrolment of 120 crores" (UIDAI nd, 13). They do not illustrate the extent to which the FPIR is expected to grow—neither in their initial paper, nor in their rebuttal to Mathews—whereas Mathews provides a method of estimating the increase of FPIR. Even if UIDAI is correct in its appraisal of FPIR and that it will not exceed "manageable values," they need to either exemplify their calculations or release the latest data. They have done neither, and that is quite unfortunate.

References

The article was published in India Today on September 1, 2016. The original piece can be read here.

Over the last few weeks, there have been a number of cases of egregious censorship of websites in India. Many people started seeing notices that (incorrectly) gave an impression that they may end up in jail if they visited certain websites. However, these notices weren't an isolated phenomenon, nor one that is new. Worryingly, the higher judiciary has been drawn into these questionable moves to block websites as well.

Since 2011, numerous torrent search engines and communities have been blocked by Indian internet service providers (ISPs). Torrent search engines provide the same functionality for torrents that Google provides for websites. Are copyright infringing materials indexed and made searchable by Google? Yes. Do we shut down Google for this reason? No. However, that is precisely what private entertainment companies have done over the past five years in India. Companies hired by the producers of Tamil movies Singham and 3 managed to get video-sharing websites like Vimeo, Dailymotion and numerous torrent search engines blocked even before the movies released, without showing even a single case of copyright infringement existed on any of them. During the FIFA World Cup, Sony even managed to get Google Docs blocked. In some cases, these entertainment companies have abused 'John Doe' orders (generic orders that allow copyright enforcement against unnamed persons) and have asked ISPs to block websites. The ISPs, instead of ignoring such requests as instances of private censorship, have also complied. In other cases (like Sony's FIFA World Cup case), courts have ordered ISPs to block hundreds of websites without any copyright infringement proven against them. High court judges haven't even developed a coherent theory on whether or how Indian law allows them to block websites for alleged copyright infringement. Still they have gone ahead and blocked.

In 2012, hackers got into Reliance Communications servers and released a list of websites blocked by them. The list contained multiple links that sought to connect Satish Seth-a group MD in Reliance ADA Group-to the 2G scam: a clear case of secretive private censorship by RCom. Further, visiting some of the YouTube links which pertained to Satish Seth showed that they had been removed by YouTube due to dubious copyright infringement complaints filed by Reliance BIG Entertainment. Did the department of telecom, whose licences forbid ISPs from engaging in private censorship, take any action against RCom? No. Earlier this year, Tata Sky filed a complaint against YouTube in the Delhi High Court, noting that there were videos on it that taught people how to tweak their set-top boxes to get around the technological locks that Tata Sky had placed. The Delhi HC ordered YouTube "not to host content that violates any law for the time being in force", presuming that the videos in question did in fact violate Indian law. They cite two sections: Section 65A of the Copyright Act and Section 66 of the Information Technology Act. The first explicitly allows a user to break technological locks of the kind that Tata Sky has placed for dozens of reasons (and allows a person to teach others how to engage in such breaking), whereas the second requires finding of "dishonesty" or "fraud" along with "damage to a computer system, etc", and an intention to violate the law-none of which were found. The court effectively blocked videos on YouTube without any finding of illegality, thus once again siding with censorial corporations.

In 2013, Indore-based lawyer Kamlesh Vaswani filed a PIL in the Supreme Court calling for the government to undertake proactive blocking of all online pornography. Normally, a PIL is only admittable under Article 32 of the Constitution, on the basis of a violation of a fundamental right (which are listed in Part III of our Constitution). Vaswani's petition-which I have had the misfortune of having read carefully-does not at any point complain that the state is violating a fundamental right by not blocking pornography. Yet the petition wants to curb the fundamental right to freedom of expression, since the government is by no means in a position to determine what constitutes illegal pornography and what doesn't.

The larger problem extends to the now-discredited censor board (headed by the notorious Pahlaj Nihalani), as also the self-censorship practised on TV by the private Indian Broadcasters Federation (which even bleeps out words and phrases like 'Jesus', 'period', 'breast cancer' and 'beef'). 'Swachh Bharat' should not mean sanitising all media to be unobjectionable to the person with the lowest outrage threshold. So who will file a PIL against excessive censorship?

Sunil Abraham, executive director of the Centre for Internet and Society, wrote this in response to the FactorDaily story on TwitterSeva, a special feature developed by Twitter’s India team to help citizens connect better with government services. Sunil's article in FactorDaily can be read here.

Let’s take a look at why the TwitterSeva approach is not adequate:

1. Vendor and Technology Neutrality: Providing a level ground for competing technologies in e-governance has been a globally accepted best practice for about 15 years now. This is usually done by using open standards policies and interoperability frameworks.

India does have a national open standards policy, but the National Informatics Centre (NIC) has only published one chapter of the Interoperability Framework for e-Governance .

The thing is, while Twitter might be the preferred choice for urban elites and the middle class, it might not be the choice of millions of Indians coming online. By implicitly signaling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter. Ideally, all interactions that the state has with citizens should be such that citizens can choose which vendor and technology they would like to use. Ideally, the government should have its own work-flow so that it can harvest complaints, feedback and other communications from all social media platforms be it Twitter or Identica, Facebook or Diaspora, and publish responses back onto them.

By implicitly signalling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter

Apart from undermining the power of choice for citizens, lack of vendor and technology neutrality in government use of technology undermines the efficient functioning of a competitive free market, which is the bedrock of future innovation.

When it comes to micro-blogging, Twitter has established a near monopoly in India. There are no clear signs of harm and therefore it would not be wise to advocate that the Competition Commission of India investigate Twitter. However, if the government helps Twitter tighten its grip over the Indian market, it is preventing the next cycle of creative destruction and disruption. Therefore, e-governance applications should ideally only “loosely couple” with the APIs of private firms so that competition and innovation are protected.

2. Holistic Approach and Accountability: Ideally, as the Electronic Service Delivery Bill 2011 had envisaged, every agency within the government was supposed to (within 180 days of the enactment of the Act) do several things: publish a list of services that will be delivered electronically with a deadline for each service; commit to service-level agreements for each service and provide details of the manner of delivery; provide an agency-level grievance redressal mechanism for citizens unhappy with the delivery of these electronic services.

Notwithstanding the 180-day commitment, the Bill required that “all public services shall be delivered in electronic mode within five years” after the enactment of the Bill with a potential three-year extension if the original deadline was not met. The Bill also envisaged the constitution of a Central Electronic Service Delivery Commission with a team of commissioners who “monitor the implementation of this Bill on a regular basis” and publish an annual report which would include “the number of electronic service requests in response to which service was provided in accordance with the applicable service levels and an analysis of the remaining cases.”

The Electronic Service Delivery Bill 2011 had a much more comprehensive and accountable plan for e-governance adoption in the country

Citizens suffering from non-compliance with the provisions of the Bill and unsatisfied with the response from the agency level grievance redressal mechanism could appeal to the Commission. The state or central commissioners after giving the government officials an opportunity to be heard were empowered to impose a fine of Rs 5000.

Unlike the piecemeal approach of TwitterSeva, the Bill had a much more comprehensive and accountable plan for e-governance adoption in the country.

3. Right To Transparency: Some of the interactions that the government has with citizens and firms may have to be disclosed under the obligation emerging from the Right to Information Act for disclosure to the public or to the requesting party. Therefore it is important that the government take its own steps for the retention of all data and records — independent of the goodwill and lifecycles of private firms.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests? Even if the government is not keen on pushing for data portablity as a right for consumers (just like mobile number portability in telecom, so that consumers can seamlessly shift between competing service providers), it absolutely should insist on data portability for all government use.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests?

This will allow it to shift to a) support multiple services, b) shift to competing/emerging services c) incrementally build its own infrastructure and also comply with the requirements of the Right to Information Act.

4. Privacy: Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology.” There is an obsession with collecting as much data as possible from citizens, storing it in centralized databases and providing “dashboards” to bureaucrats and politicians. This is diametrically opposed to the view of the security community.

Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology”

For example, Bruce Schneier posted on his blog in March this year (in a piece titled ‘Data is a Toxic Asset‘) saying: “What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous. This idea has always been part of the data protection law starting with the 2005 EU Data Protection Directive expressed as the principle of “Data Minimization” or “Collection Limitation”. More recently technologists and policy makers also use the phrase “Privacy by Design”. Introducing an unnecessary intermediary or gate-keeper between what is essentially transactions between citizens and the state is an egregious violation of a key privacy principle.”

5. Middle Class and Elite Capture: The use of Twitter amplifies the voices of the English-speaking, elite, and middle class citizens at the expense of the voices of the poor. While elites don’t exhibit fear when tagging police IDs and making public complaints from the comforts of their gated communities with private security guards shielding them the violence of the state, this might be a very intimidating option for the poor and disempowered.

While elites don’t fear tagging police IDs and making public complaints from the comforts of their gated communities, it’s intimidating for the disempowered

While the system may not be discriminatory in its design, it will have disparate impact on different sections of our society. In other words, the introduction of TwitterSeva will exacerbate power asymmetries in our society rather than ameliorating them.

The canonical scholarly reference for this is Kate Crawford’s analysis of City of Boston’s StreetBump smartphone, which resulted in an over-reporting of potholes in elite neighbourhoods and under-reporting from poor and elderly residents. This meant that efficiency in the allocation of the city’s resources was only a cover for increased discrimination against the powerless.

6. Security: The most important conclusion to draw from the Snowden disclosure is that the tin-foil conspiracy theorists who we used to dismiss as lunatics were correct. What has been established beyond doubt is that the United States of America is the world leader when it comes to conducting mass surveillance on netizens across the globe. It is still completely unclear how much access the NSA has to the databases of American social media giants. When the complete police force of a state starts to use Twitter for the delivery of services to the public, then it may be possible for foreign intelligence agencies to use this information to undermine our sovereignty and national security.

The article was published in the Hindustan Times on October 6, 2016.

Many suspect Washington’s 2014 announcement of handing over control of the IANA contract to be fuelled by the outcry following Edward Snowden’s revelations of the extent of US government surveillance. Source: AFP

September 30, 2016, marked the expiration of a contract between the US government and the Internet Corporation for Assigned Names and Numbers (ICANN) to carry out the Internet Assigned Numbers Authority (IANA) functions.

In simpler, acronym-free terms, Washington’s formal oversight over the Internet’s address book has come to an end with the expiration of this contract, with control now being passed on to the “global multistakeholder community”.

ICANN was incorporated in California in 1998 to manage the backbone of the Internet, which included the domain name system (DNS), allocation of IP addresses and root servers. After an agreement with the US National Telecommunications and Information Administration (NTIA), ICANN was tasked with operating the IANA functions, which includes maintenance of the root zone file of the DNS. Over the years Washington has rejected calls to hand over the control of IANA functions, but in March 2014 it announced its intentions to do so and laid down conditions for the handover. Many suspect the driving force behind this announcement to be the outcry following Edward Snowden’s revelations of the extent of US government surveillance.

The conditions laid down by the NTIA were met, and the US government accepted the transition proposal, amidst much political pressure and opposition, most notably from Senator Ted Cruz.

This transition is a step in the right direction, but in reality, it changes very little as it fails to address two critical issues: Of jurisdiction and accountability.

Jurisdiction is important while considering the resolution of contractual disputes, application of labour and competition laws, disputes regarding ICANN’s decisions, consumer protection, financial transparency, etc. Many of these questions, although not all, will depend on where ICANN is located. ICANN’s new bylaws mention that it will continue to be incorporated in California, and subject to California law just as it was pre-transition. Having the DNS subject to the laws of a single country can only lend to its fragility. ICANN’s US jurisdiction also means that it is not free from the political pressures from the US Senate and in turn, the toxic effect of American party politics that were made visible in the events leading up to September 30.

Another critical issue that the transition does not address is that of ICANN accountability. Post-transition, ICANN’s board will continue to be the ultimate decision-making authority, thus controlling the organisation’s functioning, and ICANN staff will be accountable to the board alone.

To put things in perspective, look at the board’s track record in the recent past. In August, an Independent Review Panel (IRP) found that ICANN’s board had violated ICANN’s own bylaws and had failed to discharge its transparency obligations when it failed to look into staff misbehaviour. Following this, in September, ICANN decided to respond to such allegations of mismanagement, opacity and lack of accountability by launching a review. The review however, would not look into the issues, failures and false claims of the board, but instead focus on the process by which ICANN staff was able to engage in such misbehaviour. This ironically, will be in the form of an internal review that will pass through ICANN staff — the subjects of the investigation — before being taken up to the board.

At best, the transition is symbolic of Washington’s oversight over ICANN coming to an end. It is also symbolic of the empowerment of the global multistakeholder community. In reality, it fails to do either meaningfully.

The post was published by Digital Asia Hub on October 6, 2016.

In March 2014, the US Government committed to ending its contract with ICANN to run the Internet Assigned Numbers Authority (IANA), and also announced that it would hand over control to the “global multistakeholder community”. The conditions for this handover were that the changes must be developed by stakeholders across the globe, with broad community consensus.

Further, it was indicated that any proposal must support and enhance the multistakeholder model; maintain the security, stability, and resiliency of the Internet Domain Name System (DNS);  meet the needs and expectation of the global customers and partners of the IANA services and maintain the openness of the Internet. Further, it must not replace the NTIA role with a solution that is government-led or by an inter-governmental organisation.

These conditions were met, ICANN’s Supporting Organisations (SO’s) and Advisory Committees (ACs) accepted transition proposals, and these proposals were then accepted by the ICANN Board as well, putting the transition in motion. But not quite. The “global multistakeholder community” still had to wait for approval from the NTIA and the US government, both of whom eventually approved the proposal. The latter’s approval was confirmed after considerable uncertainty due to Senator Ted Cruz’s efforts to stop the transition, due to his belief that the transition was an exercise of the US government handing over control of the internet to foreign governments. Notwithstanding this, on 29th September, the US Senate passed a short term bill to keep the US Government funded till the end of the year, without a rider on the IANA transition. The next hurdle was a lawsuit filed in federal court in Texas by the attorney generals of four states to stop the handover of the IANA contract. As on the 30^th of September, the court denied the Plaintiffs’ Application, thus allowing the transition to proceed.

What does this transition mean? What does it change? The transition, while a welcome step, leaves much to be desired in terms of tangible change, primarily because it fails to address the most important question, that of ICANN jurisdiction. It is important to have the Internet’s core Domain Name System (DNS) functioning free from the pressures and control of a single country or even a few countries; the transition does not ensure this, as the Post Transition IANA entity (PTI) will be under Californian jurisdiction, just like ICANN was pre-transition. The entire ICANN community has been witness to a single American political figure almost derailing its meticulous efforts simply because he could; and in many ways these events cemented the importance of having diversity in terms of legal jurisdiction of ICANN, the PTI and the root zone maintainer.

My colleague Pranesh Prakash has identified 11 reasons why the question of jurisdiction is important to consider during the IANA transition. Some of these issues depend on where ICANN, the PTI and the root zone maintainer are situated, some depend on the location of the office in question and still others depend on contracts that ICANN enters into. ICANN’s new bylaws state that it will be situated in California, the post transition IANA entities bylaws also make a Californian jurisdiction integral to its functioning. As an alternative, the Centre for Internet & Society has called for the “jurisdictional resilience” of ICANN, encompassing three crucial points: legal immunity for core technical operators of Internet functions (as opposed to policymaking venues) from legal sanctions or orders from the state in which they are legally situated, division of core Internet operators among multiple jurisdictions, and jurisdictional division of policymaking functions from technical implementation functions.

Transparency is also key to engaging meaningfully with ICANN. CIS has filed the most number of Documentary Information Disclosure Policy (DIDP) requests with ICANN, covering a range of subjects including its relationships with contracted parties, financial disclosure, revenue statements, and harassment policies. Asvatha Babu, an intern at CIS, analysed all responses to our requests and found that only 14% of our requests were answered fully. 40% of our requests had no relevant answers disclosed at all (these were mostly to do with complaints and contractual compliance). To illustrate the importance of engaging with ICANN transparency, CIS has focused on understanding ICANN’s sources of income since 2014. This is because we believe that conflict of interest can only be properly understood by following the money in a granular fashion. This information was not publicly available, and in fact, it seemed like ICANN didn’t know where it got its money from, either. It is only through the DIDP process that we were able to get ICANN to disclose sources of income, and figures along with those sources for a single financial year.

ICANN prides itself on being transparent and accountable, but in reality it is not. The most often used exception to avoid answering DIDP requests has been “Confidential business information and/or internal policies and procedures”, which in itself is a testament to ICANN’s opacity. Another condition for non-disclosure allows ICANN to reject answering “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.”. These exemptions are not only vague, they are also extremely subjective: again, demonstrative of the need for enhanced accountability and transparency within ICANN. Key issues have not been addressed even at the time that the transition is formally underway. The grounds for denying DIDP requests are still vague and wide, effectively giving ICANN the discretion to decline answering difficult questions, which is unacceptable from an entity that is at the center of the multi-billion dollar domain name industry.

ICANN’s jurisdictional resilience and enhanced accountability are particularly vital for countries in Asia. Its policies, processes and functioning have historically been skewed towards western and industry interests, and ICANN can neither be truly global nor multistakeholder till such countries can engage meaningfully with it in a transparent fashion. The IANA transition is, of course, largely political, and may symbolise a transition to the global multistakeholder community, but in reality, it changes very little, if anything.

Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document.

In the previous article on MLATs we discussed, in some detail, what MLATs are and why they are needed.  One area which was briefly focused upon in that article was the limitations and criticisms of the MLAT mechanism, of which one of the main criticisms being the problems caused due to different legal standards in various jurisdictions as well as the time taken to process a request for information sent from one country to another. Talking specifically about the United States, where most internet companies are headquartered and hold large amounts of data, it typically takes months to process requests under MLATs and foreign governments often struggle to comprehend and comply with the legal standards in the United States for obtaining data for use in their investigations.[1] The requirement that a foreign government should take permission from, and comply with the requirements of a foreign government simply because the data needed happens to be controlled by a service provider based in a foreign country strikes many foreign law enforcement officials as damaging to security and law enforcement efforts, especially when they are requesting data pertaining to a crime between two of their own citizens that primarily took place on their soil.[2]

These inefficiencies of the MLAT process lead to further problems of foreign governments attempting to apply their search and surveillance laws in an extraterritorial manner for example in 2014 the UK passed the Data Retention and Investigatory Powers Act, 2014 with gives the government the power to directly access data from foreign service providers if sought for specific purposes and the request is approved by the Secretary of State or other specified executive branch official.[3] Another response that may occur is if, frustrated by such inefficiencies of the existing systems, courts in foreign states start assuming extra territorial jurisdiction, as happened when a District Court in Vishakhapatnam restrained Google from complying with a subpoena issued by the Superior Court of California, ordering Google to share the password of the Gmail account belonging to an Indian citizen residing in Vishakhapatnam.[4]

Solution proposed in the United States

In order to overcome these inefficiencies, at least in the American context, the Department of Justice has proposed a legislation which seeks to make the process of foreign governments getting information from US based entities more streamlined by amending the provisions of the Electronic Communications Privacy Act (ECPA) of the United States (the “Amendment”). These amendments have been proposed primarily for the US and UK to effectuate a proposed bilateral agreement whereby the UK government will be able to approach US companies directly with requests for information without going through the MLAT process or getting an order from a US court.

The Amendment seeks to ensure that requests from foreign governments for information from US entities get answered in a smooth manner by including those requests in the process for seeking information under the ECPA itself. This move would no doubt, make it easier for foreign governments to access data in the US, but such a move can be criticized on the ground that it would then allow all states, irrespective of their legal standards of privacy, etc. to get access to such information. This problem has been overcome in the amendment by adding a new section to Title 18 which would allow the Attorney General, with the concurrence of the Secretary of State to certify to the Congress that the legal standards in the contracting state which is being given access to the mechanism under the ECPA satisfies certain requirements specified in the chapter (and discussed below). Only after such a certification has been received by the Congress, a contracting state would be able to receive the benefits sought to be granted under the Amendment.

It is important to note that the US administration is looking to use the US-UK Agreement as a standard to be followed for similar potential agreements with a number of other countries wherein the agencies in those countries could request information from US based entities through court orders through a properly specified legal framework. Though to our knowledge India has not been formally approached by the US government to enter into such an agreement, it is important to ask the question viz. if approached:

1. Does India's present legal system meet the standards laid down in the amendment to the ECPA?
2. And if they do, should India also seek to enter into such an Agreement with the United States?
3. And if India does, what could be the implications for citizens and for countries in a similar position as India?

We hope to be able to answer the above three questions, or at least throw some light on them, in the conclusion of this paper by relying upon the discussions contained herein.

Criticisms of the Amendment

While such a mechanism may be very effective in addressing the needs of security agencies in investigation and prevention of criminal activities, one cannot accept such an overarching change in cross border enforcement without analyzing the consequences that such a proposal will have on the right to privacy. Some of these consequences have been highlighted by experts responding to the amendment:

Lack of Judicial Authorisation: The Amendment requires that the foreign governments have a process whereby a person could seek post-disclosure review by an independent entity instead of a warrant by a court.[5] Although a court order is not the norm for interception even in Indian law, however under American law such protection is given to data held by American companies even though the data may belong to Indian citizens and this protection will no longer be available if the Amendment is passed.

Vague Standard for requests: Under the domestic law of any state there is usually a large amount of jurisprudence regarding when search orders can be issued, such as the “probable cause” standard that is followed in the United States or similar standards that may be followed in other jurisdictions. This ensures that even when the wording of the law is not precise, which it cannot be for such a subjective issue, there is still some amount of clarity around when and under what circumstances such warrants may be issued. In contrast, the Amendment requires that the orders be based on “requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” Although the language here may seem reasonable but in the absence of any jurisprudence backing it, it becomes very vague and susceptible to misuse. Disclosure without a Warrant: Under the current MLAT process as followed in the United States, a judge in the U.S. must issue a warrant based on probable cause in order for a U.S. company to turn over content to a foreign government. This requirement protects individuals abroad by requiring their governments to meet certain standards when seeking information held by U.S. companies. The Amendment seeks to remove this essential safeguard for a judicial warrant. The Amendment does not require requests from foreign governments to be based on a prior judicial authorization, since a large number of countries (including India) do not always require judicial orders for such orders.[6]

Allows Real Time Surveillance by Foreign Governments: American privacy rights activists have raised the concern that the Amendment would allow foreign governments to conduct ongoing surveillance by asking American companies to turn over data in real time. The requirements that the foreign governments would have to fulfill to execute such an order are less stringent than those which have to be fulfilled by the American security agencies if they want to indulge in similar activities. When the U.S. government wants to conduct real-time surveillance, it must comply with the Wiretap Act, which imposes heightened privacy protections.[7] The court orders for this purpose also require minimization of irrelevant information, are strictly time-limited, only available for certain serious crimes, etc.[8] In Indian law any such request, apart from being time limited and being available only for certain specified purposes, also has to satisfy that interception is the only reasonable option to acquire such information.

Process to determine which countries can make demands is not credible: Under the Amendment, the Attorney General and the Secretary of State, would decide whether the laws and practices of the foreign government adequately meet the standards set forth in the legislation for entering into a bilateral agreement. Their decisions would not be liable to be reviewed by a court or in any administrative procedure. They could make their determinations based on information which is not available to the public and the criteria for making the decision are vague and flexible. Further these criteria have been described as “factors” and not “requirements”[9] so that even if some of them are not satisfied, the certification process can still be completed.

Companies do not have the resources to determine if a request complies with the terms of the agreement: The Amendment does not provide any oversight to ensure that technology companies are only turning over information permitted in a specific bilateral agreement. For example, a bilateral agreement may permit disclosure of information only in response to orders that do not discriminate on the basis of religion, however, it may not be possible for the companies receiving the request to determine whether a particular request complies with that condition or not. The Amendment does not require that individual companies put in place requisite processes to weed out requests that may be non compliant with the provisions of the agreement; nor are there periodic audits to ensure that companies are properly responding to foreign government information requests.[10]

Non compliance with Human Rights Standards: Under international human rights law, governments are allowed to conduct surveillance only based on individualized and sufficient suspicion; authorized by an independent and impartial decision-maker; necessary and proportionate to achieve a legitimate aim, including by being the least intrusive means possible.[11] However the mechanism proposed by the Amendment falls woefully short of these standards.[12]

One must not lose sight of the fact that most of the criticisms of the proposal that have been discussed above have been made in the context of, and based on the standards of privacy protection that are available to American citizens. If we look at it from an Indian perspective most of those protections are not available to Indian citizens in any case since independent judicial oversight is not a sine qua non for access to information by the security agencies in India. Although the Amendment leaves open the question of how a request would be made by the foreign government to the individual Agreements, it may be safe to assume that were India to enter into such an Agreement with the United States, it would require the orders for access to comply with the standards laid down under Indian law before the relevant authorities send the request to the US based data controllers. At the least, this would ensure that the rights of Indian citizens currently guaranteed under Indian law, howsoever flawed they might be, would in all likelihood be safeguarded as per Indian law.

Certification from the Attorney General to the US Congress

In the above background if India were to enter into the agreement with the U.S Government   apart from actually negotiating and signing that Agreement, the Indian government will also have to ensure (if the Amendment is passed) that the Attorney General of the United States, with the concurrence of the Secretary of State gives a certificate to the Congress that Indian law satisfies the requirements set forth in the proposed section XXXX of Title 18.

It must be kept in mind that if the negotiations between India and the United States in this regard reach such a mature stage that the certification from the Attorney General is required, then that would mean that there is enough political will on both sides to ensure that such an arrangement actually comes to fruition. In this context it would not be unfair to assume that the Attorney General may have a slight bias towards opining that Indian laws do conform to the requirements of the Amendment, as the Attorney General would want to support the decision taken by the administration, and our analysis shall have a similar bias in order to be more contextual.

The certification would, inter alia, contain the determination of the Attorney General:

• That the domestic law of India affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the Indian government that will be subject to the agreement.It should be noted that the Amendment specifies various factors that should be taken into account to reach such a determination, which include whether the Indian government:

(i) has adequate substantive and procedural laws on cybercrime and electronic evidence, as demonstrated through accession to the Budapest Convention on Cybercrime, or through domestic laws that are consistent with definitions and the requirements set forth in Chapters I and II of that Convention; Although India is not a signatory to the Budapest Convention the Information Technology Act, 2000 (which is the main legislation dealing with cybercrime) has penal provisions which have borrowed heavily from the provisions of the Budapest Convention.

• demonstrates respect for the rule of law and principles of nondiscrimination;

The provisions of Article 14 as well as Article 21 of the Constitution of India demonstrates that the legal regime in India is committed to the rule of law and principles of non discrimination.

• adheres to applicable international human rights obligations and commitments or demonstrates respect for international universal human rights (including but not limited to protection from arbitrary and unlawful interference with privacy; fair trial rights; freedoms of expression, association and peaceful assembly; prohibitions on arbitrary arrest and detention; and prohibitions against torture and cruel, inhuman, or degrading treatment or punishment);

India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India.

• has clear legal mandates and procedures governing those entities of the foreign government that are authorized to seek data under the executive agreement, including procedures through which those authorities collect, retain, use, and share data, and effective of oversight of these activities;

India has a number of legislations which govern the interception and request for information such as the Information Technology Act, 2000, the Indian Telegraph Act, 1885, Code of Criminal Procedure, 1973, etc. which put in place mechanisms governing the authorities and entities which can ask for information.

• has sufficient mechanisms to provide accountability and appropriate transparency regarding the government’s collection and use of electronic data; and

The Right to Information Act, 2005 provides the citizens the right to access any public document unless access to the same is prohibited due to the specific exemptions provided in the Act. It may be noted here that the provisions of the Right to Information Act are often frustrated by the bureaucracy by using exceptions such as “national security”, but for the purposes of this write up we are already assuming a bias towards fulfillment of these factors/conditions and therefore as long as there is even some evidence of compliance, the conditions will be considered as fulfilled by the Attorney General for the purposes of his certificate.

• demonstrates a commitment to promote and protect the global free flow of information and the open, distributed, and interconnected nature of the Internet.

The Telecom Regulatory Authority of India, which regulates telecom services in India has also issued the Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016 which prohibits service providers from charging discriminatory tariffs for data services on the basis of content.

Other than Indian law, the certificate from the Attorney General will also have to certify certain issues which would have to be addressed in the bilateral agreement itself, viz.:

• That the Indian government has adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement.
• That the agreement requires the following with respect to orders subject to the agreement:

(i) The Indian government may not intentionally target a United States person or a person located in the United States, and must adopt targeting procedures designed to meet this requirement;

(ii) The Indian government may not target a non–United States person located outside the United States if the purpose is to obtain information concerning a United States person or a person located in the United States;

(iii) The Indian government may not issue an order at the request of or to obtain information to provide to the United States government or a third-party government, nor shall the Indian government be required to share any information produced with the United States government or a third-party government;

(iv) Orders issued by the Indian government must be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism;

(v) Orders issued by the Indian government must identify a specific person, account, address, or personal device, or any other specific identifier as the object of the Order;

(vi) Orders issued by the Indian government must be in compliance with the domestic laws of India, and any obligation for a provider of an electronic communications service or a remote computing service to produce data shall derive solely from Indian law;

(vii) Orders issued by the Indian government must be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation;

(viii) Orders issued by the Indian government must be subject to review or oversight by a court, judge, magistrate, or other independent authority;

(ix) Orders issued by the Indian government for the interception of wire or electronic communications, and any extensions thereof, must be for a fixed, limited duration; interception may last no longer than is reasonably necessary to accomplish the approved purposes of the order; and orders may only be issued where that same information could not reasonably be obtained by another less intrusive method;

(x) Orders issued by the Indian government may not be used to infringe freedom of speech;

(xi) The Indian government must promptly review all material collected pursuant to the agreement and store any unreviewed communications on a secure system accessible only to those trained in applicable procedures;

(xii) The Indian government must segregate, seal, or delete, and not disseminate material found not to be information that is, or is necessary to understand or assess the importance of information that is, relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or seriously bodily harm to any person;

(xiii) The Indian government may not disseminate the content of a communication of a U.S. person to U.S. authorities unless the communication (a) may be disseminated pursuant to Section 4(a)(3)(xii) and (b) relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud;

(xiv) The Indian government must afford reciprocal rights of data access to the United States government;

(xv) The Indian government must agree to periodic review of its compliance with the terms of the agreement by the United States government; and

(xvi) The United States government must reserve the right to render the agreement inapplicable as to any order for which it concludes the agreement may not properly be invoked.

Conclusion

It is clear from the discussion above that the proposed Amendment is a controversial piece of legislation which will affect the way law enforcement is carried out in the internet. While there is no doubt that proposing an alternate mechanism to the existing inefficient MLAT structure is definitely the need of the hour, whether the mechanism proposed in the proposed Amendment, with all the negative implications on privacy, is the right way forward is far from certain.

As for the three questions that we had sought out to answer in the beginning of this paper, we would not like to say that Indian law definitely conforms to all the requirements listed in the Amendments, but it can safely be said that it appears that if the governments of India and the United States so wish, it would not be difficult for the Attorney General of the United States to be able to give a certification to the Congress as required in the proposed Amendment.

The other two questions as to whether India should try to opt for such an arrangement if given a chance and what would be the consequence for its people are somewhat related, in the sense that it is only by examining the consequences on its citizens that we will arrive at an answer as to whether India should opt for such an arrangement or not. The level of protections offered to Indian citizens under India law in terms of protection of their private data from government surveillance is lower than that which is offered to American citizens under American law. The growing influence of the internet is changing the citizen-state dynamic giving rise to increasing incidents where the government has to approach private actors for permission in order to carry out their governmental functions of providing security. This is because more and more private data of individual citizens is being uploaded on to the internet and controlled by private actors such as telecom companies, social media sites, etc. and the governments have to approach these private actors in case they want access to this information. The fact that the government has to approach private actors to get access to data gives private citizens some leverage to ask for better privacy protections in the context of state surveillance.

Although this proposed Amendment may not affect the local surveillance laws in India, however it would definitely have an effect on the way that citizens’ data is protected and accessed by the government.

[1] Explanation by the Assistant Attorney General attached to the proposed Amendment.

[2] https://www.justsecurity.org/24145/u-s-u-k-data-sharing-treaty/

[3] https://www.justsecurity.org/24145/u-s-u-k-data-sharing-treaty/

[4] http://spicyip.com/2012/04/clash-of-courts-indian-district-court.html

[5] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[6] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[7] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[8] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[9] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[10] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[11] International Covenant on Civil and Political Rights, art. 17, Dec. 19, 1966, U.N.T.S 999, cf. https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[12] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

These days’ people have access to various financial services and manage their finances in a diverse manner while dealing with a large number of financial service providers, each providing one or more services that the user may need such as banking, credit card services, investment services, etc. This multiplicity of financial service providers could make it inconvenient for the users to keep track of their finances since all the information cannot be provided at the same place. This problem is sought to be solved by the account aggregators by providing all the financial data of the user at a single place. Account aggregation is the consolidation of online financial account information (e.g., from banks, credit card companies, etc.) for online retrieval at one site. In a typical arrangement, an intermediary (e.g., a  portal) agrees with a third party service provider to provide the service to consumers, the intermediary would then generally privately label the service and offer consumers access to it at the intermediary’s website.[1] There are two major ways in which account aggregation takes place, (i) direct access: wherein the account aggregator gets direct access to the data of the user residing in the computer system of the financial service provider; and (ii) scraping: where the user provides the account aggregator the username and password for its account in the different financial service providers and the account aggregator scrapes the information off the website/portal of the different financial service providers.

Since account aggregation involves the use and exchange of financial information there could be a number of potential risks associated with it such as (i) loss of passwords; (ii) frauds; (iii) security breaches at the account aggregator, etc. It is for this reason that on the advice of the Financial Stability and Development Council,[2] the Reserve Bank of India (“RBI”) felt the need to regulate this sector and on September 2, 2016 issued the Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 to provide a framework for the registration and operation of Account Aggregators in India (the “Directions”). The Directions provide that no company shall be allowed to undertake the business of account aggregators without being registered with the RBI as an NBFC-Account Aggregator. The Directions also specify the conditions that have to be fulfilled for consideration of an entity as an Account Aggregator such as:

1. the company should have a net owned fund of not less than rupees two crore, or such higher amount as the Bank may specify;
2. the company should have the necessary resources and wherewithal to offer account aggregator services;
3. the company should have adequate capital structure to undertake the business of an account aggregator;
4. the promoters of the company should be fit and proper individuals;
5. the general character of the management or proposed management of the company should not be prejudicial to the public interest;
6. the company should have a plan for a robust Information Technology system;
7. the company should not have a leverage ratio of more than seven;
8. the public interest should be served by the grant of certificate of registration; and
9. Any other condition that made be specified by the Bank from time to time.[3]

The Direction further talk about the responsibilities of the Account Aggregators and specify that the account aggregators shall have the duties such as: (a) Providing services to a customer based on the customer’s explicit consent; (b) Ensuring that the provision of services is backed by appropriate agreements/ authorisations between the Account Aggregator, the customer and the financial information providers; (c) Ensuring proper customer identification; (d) Sharing the financial information only with the customer or any other financial information user specifically authorized by the customer; (e) Having a Citizen's Charter explicitly guaranteeing protection of the rights of a customer.[4]

The Account Aggregators are also prohibited from indulging in certain activities such as: (a) Support transactions by customers; (b) Undertaking any other business other than the business of account aggregator; (c) Keeping or “residing” with itself the financial information of the customer accessed by it; (d) Using the services of a third party for undertaking its business activities; (e) Accessing user authentication credentials of customers; (f) Disclosing or parting with any information that it may come to acquire from/ on behalf of a customer without the explicit consent of the customer.[5] The fact that there is a prohibition on the information accessed from actually residing with the Account Aggregator will ensure greater security and protection of the information.

Consent Framework

The Directions specify that the function of obtaining, submitting and managing the customer’s consent should be performed strictly in accordance with the Directions and that no information shall be retrieved, shared or transferred without the explicit consent of the customer.[6] The consent is to be taken in a standardized artefact, which can also be obtained in electronic form,[7] and shall contain details as to (i) the identity of the customer and optional contact information; (ii) the nature of the financial information requested; (iii) purpose of collecting the information; (iv) the identity of the recipients of the information, if any; (v) URL or other address to which notification needs to be sent every time the consent artefact is used to access information; (vi) Consent creation date, expiry date, identity and signature/ digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI.[8] The account aggregator is required to inform the customer of all the necessary attributes to be contained in the consent artefact as well as the customer’s right to file complaints with the relevant authorities.[9] The customers shall also be provided an option to revoke consent to obtain information that is rendered accessible by a consent artefact, including the ability to revoke consent to obtain parts of such information.[10]

Comments: While the Directions have specific provisions regarding how the financial data shall be dealt with, it is pertinent to note that the actual consent artefact also has personal information and it is not clear whether Account Aggregators are allowed disclose that information to third parties are not.

Disclosure and sharing of financial information

Financial information providers such as banks, mutual funds, etc. are allowed to share information with account aggregators only upon being presented with a valid consent artifact and also have the responsibility to verify the consent as well as the credentials of the account aggregator.[11] Once the verification is done, the financial information provider shall digitally sign the financial information and transmit the same to the Account Aggregator in a secure manner in real time, as per the terms of the consent.[12] In order to ensure smooth flow of data, the Directions also impose an obligation on financial information providers to:

• implement interfaces that will allow an Account Aggregator to submit consent artefacts, and authenticate each other, and enable secure flow of financial information;
• adopt means to verify the consent including digital signatures;
• implement means to digitally sign the financial information; and
• maintain a log of all information sharing requests and the actions performed pursuant to such requests, and submit the same to the Account Aggregator.[13]

Comments: The Directions provide that the Account Aggregator will not support any transactions by the customers and this seems to suggest that in case of any mistakes in the information the customer would have to approach the financial information provider and not the Account Aggregator.

Use of Information

The Directions provide that in cases where financial information has been provided by a financial information provider to an Account Aggregator for transferring the same to a financial information user with the explicit consent of the customer, the Account Aggregator shall transfer the same in a secure manner in accordance with the terms of the consent artefact only after verifying the identity of the financial information user.[14] Such information, as well as information which may be provided for transferring to the customer, shall not be used or disclosed by the Account Aggregator or the Financial Information user except as specified in the consent artefact.[15]

Data Security

The Directions specify that the business of an Account Aggregator will be entirely Information Technology (IT) driven and they are required to adopt required IT framework and interfaces to ensure secure data flows from the financial information providers to their own systems and onwards to the financial information users.[16] This technology should also be scalable to cover any other financial information or financial information providers as may be specified by the RBI in the future.[17] The IT systems should also have adequate safeguards to ensure they are protected against unauthorised access, alteration, destruction, disclosure or dissemination of records and data.[18] Information System Audit of the internal systems and processes should be in place and be conducted at least once in two years by CISA certified external auditors whose report is to be submitted to the RBI.[19] The Account Aggregators are prohibited from asking for or storing customer credentials (like passwords, PINs, private keys) which may be used for authenticating customers to the financial information providers and their access to customer’s information will be based only on consent-based authorisation (for scraping).[20]

Grievance Redressal

The Directions require the Account Aggregator to put in place a policy for handling/ disposal of customer grievances/ complaints, which shall be approved by its Board and also have a dedicated set-up to address customer grievances/ complaints which shall be handled and addressed in the manner prescribed in the policy.[21] The Account Aggregator also has to display the name and details of the Grievance Redressal Officer on its website as well as place of business.[22]

Supervision

The Directions require the Account Aggregators to put in place various internal checks and balances to ensure that the business of the Account Aggregator does not violate any laws or regulations such as constitution of an Audit Committee, a Nomination Committee to ensure the “fit and proper” status of its Directors, a Risk Management Committee and establishment of a robust and well documented risk management framework.[23] The Risk Management Committee is required to (a) give due consideration to factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities; and b) have oversight of technology risks and ensure that the organisation’s IT function is capable of supporting its business strategies and objectives.[24] Further the RBI also has the power to inspect any Account Aggregator at any time.[25]

Penalties

The Directions themselves do not provide for any penalties for non compliance, however since the Directions are issued under Section 45JA of the Reserve Bank of India Act, 1934 (“RBI Act”), this means that any contravention of these directions will be punishable under Section 58B of the RBI Act which provides for an imprisonment of upto 3 years as well as a fine for any contravention of such directions.

Conclusion

The Directions by the RBI provide a number of regulations and checks on Account Aggregators with the view to ensure safety of customer financial data. These Directions appear to be quite trendsetting in the sense that in most other jurisdictions such as the United States or even Europe there are no specific regulations governing Account Aggregators but their activities are mainly being governed under existing privacy or consumer protection legislations.[26]

The entire regulatory regime for Account Aggregators seems to suggest that the RBI wants Account Aggregators to be like funnels to channel information from various platforms right to the customer (or financial information user) and it does not want to take a chance with the information actually residing with the Account Aggregators. Further, by prohibiting Account Aggregators from accessing user authentication credentials, the RBI is trying to eliminate the possibility of this information being leaked or stolen. Although this may make it more onerous for Account Aggregators to provide their services, it is a great step to ensure the safety and security of customer data.

In recent months the RBI has been trying to actively engage with the various new products being introduced in the financial sector owing to various technological advancements, be it the circular informing the public about the risks of virtual currencies including Bitcoin, the consultation paper on P2P lending platforms or these current guidelines on Account Aggregators. These recent actions of the RBI seem to suggest that the RBI is well aware of various technological advancements in the financial sector and is keeping a keen eye on these technologies and products, but appears to be taking a cautious and weighted approach regarding how to deal with them.

[1] Ann S. Spiotto, Financial Account Aggregation: The Liability Perspective, Fordham Journal of Corporate & Financial Law, 2006, Volume 8, Issue 2, Article 6, available at http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1181&context=jcfl

[2] https://rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=34345

[3] Clause 4.2.2 of the Directions.

[4] Clause 5 of the Directions.

[5] Clause 5 of the Directions.

[6] Clauses 6.1 and 6.2 of the Directions.

[7] Clause 6.4 of the Directions.

[8] Clause 6.3 of the Directions.

[9] Clause 6.5 of the Directions.

[10] Clause 6.6 of the Directions.

[11] Clauses 7.1 and 7.2 of the Directions.

[12] Clauses 7.3 and 7.4 of the Directions.

[13] Clause 7.5 of the Directions.

[14] Clause 7.6.1 of the Directions.

[15] Clause 7.6.2 of the Directions.

[16] Clause 9(a) of the Directions.

[17] Clause 9(c) of the Directions.

[18] Clause 9(d) of the Directions.

[19] Clause 9(f) of the Directions.

[20] Clause 9(b) of the Directions.

[21] Clauses 10.1 and 10.2 of the Directions.

[22] Clause 10.3 of the Directions.

[23] Clauses 12.2, 12.3 and 12.4 of the Directions.

[24] Clause 12.4 of the Directions.

[25] Clause 15 of the Directions.

[26] http://www.canadiancybersecuritylaw.com/2016/07/german-regulator-finds-banks-data-rules-impede-non-bank-competitors/

The article was published by Bloomberg on October 22, 2016.

The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.

Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.

The Modus Operandi

According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.

The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.

Massive Financial Implications

The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.

This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.

Are Banks Concealing Information?

The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.

Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.

The article was published in the Economic & Political Weekly on September 3, 2016, Vol.51, Issue No.36.

The author of a technical paper will be alarmed when he is convicted of “serious mathematical errors” by someone who has not bothered himself with “going too deep into the mathematics” used. The man must possess miraculous powers of divination one feels: fears rather. The UIDAI seems to have even such formidable diviners in their employ: who have dismissed just so peremptorily, in their rebuttal, the calculations made in my paper titled Flaws in the UIDAI process. The paper appeared in the issue of this journal dated to February 27 of this year. The rebuttal was published in the issue dated to the 12th of March. The interested reader can confirm that I have only repeated what was said there. The rebuttal does not specify, in any way, the mathematical mistakes I am supposed to have made. So I shall rehearse the relevant calculations very broadly: and the experts of the UIDAI will then exhibit, I trust, the specific mistakes they impute to me.[*]

[*]My reply to the UIDAIs attempted rebuttal was sent in to the EPW a few days after that appeared in print: and published as a “web exclusive” article in Volume 51, Issue Number 36 of the EPW, on 03/09/2016.

Read the Full Article

Over the course of two years, the Centre for Internet and Society sent 28 requests to ICANN under its Documentary Information Disclosure Policy (DIDP). A part of ICANN’s accountability initiatives, DIDP is “intended to ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”

Through the DIDP, any member of the public can request information contained in documents from ICANN. We’ve written about the process here, here and here. As a civil society group that does research on internet governance related topics, CIS had a variety of questions for ICANN. The 28 DIDP requests we have sent cover a range of subjects: from revenue and financial information, to ICANN’s relationships with its contracted parties, its contractual compliance audits, harassment policies and the diversity of participants in its public forum. We have blogged about each DIDP request where we have summarized ICANN’s responses.

Here are the DIDP requests we sent in:

ICANN’s responses were analyzed and rated between 0-4 based on the amount of information disclosed. The reasons given for the lack of full disclosure were also studied.

ICANN has defined a set of preconditions under which they are not obligated to answer a request. These preconditions are generously used by ICANN to justify their lack of a comprehensive answer. The wording of the policy also allows ICANN to dodge answering a request if it doesn’t have the relevant documents already in its possession. The responses were also classified by the number of times a particular DIDP condition for non-disclosure was invoked. We will see why these weaken ICANN’s accountability initiatives.  

Of the 28 DIDP requests, only 14% were answered fully, without the use of the DIDP conditions of non-disclosure. Seven out of 28 or 40% of the DIDPs received a 0-rated answer which reflects extremely poorly on the DIDP mechanism itself. Of the 7 responses that received 0-rating, 4 were related to complaints and contractual compliance. We had asked for details on the complaints received by the ombudsman, details on contractual violations by Verisign and abuse contacts maintained by registrars for filing complaints. We received no relevant information.

We have earlier written about the extensive and broad nature of the 12 conditions of non-disclosure that ICANN uses. These conditions were used in 24 responses out of 28. ICANN was able to dodge from fully answering 85% of the DIDP requests that they got from CIS. This is alarming especially for an organization that claims to be fully transparent and accountable. The conditions for non-disclosure have been listed in this document and can be referred to while reading the following graph.

On reading the conditions for non-disclosure, it seems like ICANN can refuse to answer any DIDP request if it so wished. These exclusions are numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain: Correspondence, internal information, information related to ICANN’s relationship with governments, information derived from deliberations among ICANN constituents, information provided to ICANN by private parties and the kicker - information that would be too burdensome for ICANN to collect and disseminate.

As we can see from the graph, the most used condition under which ICANN can refuse to answer a DIDP request is F. Predictably, this is the most vaguely worded DIDP condition of the lot: “Confidential business information and/or internal policies and procedures.” It is up to ICANN to decide what information is confidential with no justification needed or provided for it. ICANN has used this condition 11 times in responding to our 28 requests.

It is also necessary to pay attention to condition L which allow ICANN to reject “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.” This is perhaps the weakest point in the entire list due its subjective nature. Firstly, on whose standards must this information request be reasonable? If the point of a transparency mechanism is to make sure that information sought by the public is disseminated, should they be allowed to obfuscate information because it is too burdensome to collect? Even if this is fair given the time constraints of the DIDP mechanism, it must not be used as liberally as has been happening. The last sub point is perhaps the most subjective. If a staff member dislikes a particular requestor, this point would justify their refusal to answer a request regardless of its validity. This hardly seems fair or transparent. This condition has been used 9 times in our 28 requests.

Besides the DIDP non-disclosure conditions, ICANN also has an excuse built into the definition of DIDP. Since it is not obliged to create or summarize documents under the DIDP process, it can simply claim to not have the specific document we request and thus negate its responsibility to our request. This is what ICANN did with one of our requests for raw financial data. For our research, we required raw data from ICANN specifically with regard to its expenditure on staff and board members for their travel and attendance at meetings. As an organization that is answerable to multiple stakeholders including governments and the public, it is justified to expect that they have financial records of such items in a systematic manner. However, we were surprised to learn that ICANN does not in fact have these stored in a manner that they can send as attachments or publish. Instead they directed us to the audited financial reports which did little for our research. However, in response to our later request for granular data on revenue from domain names, ICANN explained that while they do not have such a document in their possession, they would create one. This distinction between the two requests seems arbitrary to us since we consider both to be important to public.

Nevertheless, there were some interesting outcomes from our experience filing DIDPs. We learnt that there has been no substantive work done to inculcate the NETmundial principles at ICANN, that ICANN has no idea which regional internet registry contributes the most to its budget, and that it does not store (or is not willing to reveal) any raw financial data. These outcomes do not contribute to a sense of confidence in the organization.

ICANN has an opportunity to reform this particular transparency mechanism at its Workstream 2 discussions. ICANN must make use of this opportunity to listen and work with people who have used the DIDP process in order to make it useful, effective and efficient. To that effect, we have some recommendations from our experience with the DIDP process.

That ICANN does not currently possess a particular document is not an excuse if it has the ability to create one. In its response to our questions on the IANA transition, ICANN indicated that it does not have the necessary documents as the multi stakeholder body that it set up is the one conducting the transition. This is somewhat justified. However, in response to our request for financial details, ICANN must not be able to give the excuse that it does not have a document in its possession. It and it alone has the ability to create the document and in response to a request from the public, it should.

ICANN must also revamp its conditions for non-disclosure and make it tighter. It must reduce the number of exclusions to its disclosure policy and make sure that the exclusion is not done arbitrarily. Specifically with respect to condition F, ICANN must clarify how information was classified as confidential and why that is different from everything else on the list of conditions.

Further, ICANN should not be able to use condition L to outright reject a DIDP request. Instead, there must be a way for the requester and ICANN to come to terms about the request. This could happen by an extension of the 1 month deadline, financial compensation by requester for any expenditure on ICANN’s part to answer the request or by a compromise between the requester and ICANN on the terms of the request. The sub point about requests made “by a vexatious or querulous individual” must be removed from condition L or at least be separated from the condition so that it is clear why the request for disclosure was denied.

ICANN should also set up a redressal mechanism specific to DIDP. While ICANN has the Reconsideration Requests process to rectify any wrongdoing on the part of staff or board members, this is not adequate to identify whether a DIDP was rejected on justifiable grounds. A separate mechanism that deals only with DIDP requests and wrongful use of the non-disclosure conditions would be helpful. According to the icann bylaws, in addition to Requests for Reconsideration, ICANN has also established an independent third party review of allegations against the board and/or staff members. A similar mechanism solely for reviewing whether ICANN’s refusal to answer a DIDP request is justified would be extremely useful.

A strong transparency mechanism must make sure that its objective are to provide answers, not to find ways to justify its lack of answers. With this in mind, we hope that the revamp of transparency mechanisms after workstream 2 discussions leads to a better DIDP process than we are used to.

Recently, the US gave up its role of signing entries to the Internet's root zone file, which represents the addressing system for the global Internet. This is about the Internet addresses that end with .com, .net, and so on, and the numbers associated with each of them that help us navigate the Internet. We thank and congratulate the US government for taking this important step in the right direction. However, the organisation that manages this system, ICANN,[1] a US non-profit, continues to be under US jurisdiction, and hence subject to its courts, legislature and executive agencies. Keeping such an important global public infrastructure under US jurisdiction is expected to become a very problematic means of extending US laws and policies across the world.

We the undersigned therefore appeal that urgent steps be taken to transit ICANN from its current US jurisdiction. Only then can ICANN become a truly global organisation.[2] We would like to make it clear that our objection is not directed particularly against the US; we are simply against an important global public infrastructure being subject to a single country's jurisdiction.

Domain name system as a key lever of global control
A few new top level domains like .xxx and .africa are already under litigation in the US, whereby there is every chance that its law could interfere with ICANN's (global) policy decisions. Businesses in different parts of the world seeking top level domain names like .Amazon, and, hypothetically, .Ghaniancompany, will have to be mindful of de facto extension of US jurisdiction over them. US agencies can nullify the allocation of such top level domain names, causing damage to a business similar to that of losing a trade name, plus losing all the 'connections', including email based ones, linked to that domain name. For instance, consider the risks that an Indian generic drugs company, say with a top level domain, .genericdrugs, will remain exposed to.

Sector specific top level domain names like .insurance, health, .transport, and so on, are emerging, with clear rules for inclusion-exclusion. These can become de facto global regulatory rules for that sector. .Pharmacy has been allocated to a US pharmaceutical group which decides who gets domain names under it. Public advocacy groups have protested [3] that these rules will be employed to impose drugs-related US intellectual property standards globally. Similar problematic possibilities can be imagined in other sectors; ICANN could set “safety standards”, as per US law, for obtaining .car.

Country domain names like .br and .ph remain subject to US jurisdiction. Iran's .ir was recently sought to be seized by some US private parties because of alleged Iranian support to terrorism. Although the plea was turned down, another court in another case may decide otherwise. With the 'Internet of Things', almost everything, including critical infrastructure, in every country will be on the network. Other countries cannot feel comfortable to have at the core of the Internet’s addressing system an organisation that can be dictated by one government.

ICANN must become a truly global body
Eleven years ago, in 2005, the Civil Society Internet Governance Caucus at the World Summit on the Information Society demanded that ICANN should “negotiate an appropriate host country agreement to replace its California Incorporation”.

A process is currently under-way within ICANN to consider the jurisdiction issue. It is important that this process provides recommendations that will enable ICANN to become a truly global body, for appropriate governance of very important global public goods.

Below are some options, and there could be others, that are available for ICANN to transit from US jurisdiction.

1. ICANN can get incorporated under international law. Any such agreement should make ICANN an international (not intergovernmental) body, fully preserving current ICANN functions and processes. This does not mean instituting intergovernmental oversight over ICANN.
2. ICANN can move core internet operators among multiple jurisdictions, i.e. ICANN (policy body for Internet identifiers), PTI [4] (the operational body) and the Root Zone Maintainer must be spread across multiple jurisdictions. With three different jurisdictions over these complementary functions, the possibility of any single one being fruitfully able to interfere in ICANN's global governance role will be minimized.
3. ICANN can institute a fundamental bylaw that its global governance processes will brook no interference from US jurisdiction. If any such interference is encountered, parameters of which can be clearly pre-defined, a process of shifting of ICANN to another jurisdiction will automatically set in. A full set-up – with registered HQ, root file maintenance system, etc – will be kept ready as a redundancy in another jurisdiction for this purpose. [5] Chances are overwhelming that given the existence of this bylaw, and a fully workable exit option being kept ready at hand, no US state agency, including its courts, will consider it meaningful to try and enforce its writ. This arrangement could therefore act in perpetuity as a guarantee against jurisdictional interference without actually having ICANN to move out of the US.
4. The US government can give ICANN jurisdictional immunity under the United States International Organisations Immunities Act . There is precedent of US giving such immunity to non-profit organisations like ICANN. [6] Such immunity must be designed in such a way that still ensures ICANN's accountability to the global community, protecting the community's enforcement power and mechanisms. Such immunity extends only to application of public law of the US on ICANN decisions and not private law as chosen by any contracting parties. US registries/registrars, with the assent of ICANN, can choose the jurisdiction of any state of the US for adjudicating their contracts with ICANN. Similarly, registries/registrars from other countries should be able to choose their respective jurisdictions for such contracts.

We do acknowledge that, over the years, there has been an appreciable progress in internationalising participation in ICANN's processes, including participation from governments in the Governmental Advisory Committee. However, positive as this is, it does not address the problem of a single country having overall jurisdiction over its decisions.

Issued by the following India based organisation:

• Centre for Internet and Society, Bangalore
• IT for Change, Bangalore
• Free Software Movement of India, Hyderabad
• Society for Knowledge Commons, New Delhi
• Digital Empowerment Foundation, New Delhi
• Delhi Science Forum, New Delhi
• Software Freedom Law Centre - India, New Delhi
• Third World Network - India, New Delhi

Supported by the following global networks:

• Association For Progressive Communications
• Just Net Coalition

For any clarification or inquiries you may may write to or call:

• Parminder Jeet Singh: [email protected] +91 98459 49445, or
• Vidushi Marda: [email protected] +91 99860 92252

[1] Internet Corporation for Assigned Names and Numbers

[2] The “NetMundial Multistakeholder Statement” , endorsed by a large number of governments and other stakeholders, including ICANN and US government, called for ICANN to become a “truly international and global organization”.

[3] See, https://www.techdirt.com/articles/20130515/00145123090/big-pharma-firms-seeking-pharmacy-domain-to-crowd-out-legitimate-foreign-pharmacies.shtml

[4] Public Technical Identifier, a newly incorporated body to carry out the operational aspects of managing Internet's identifiers.

[5] This can be at one of the existing non US global offices of ICANN, or the location of one of the 3 non-US root servers. Section 24.1 of ICANN Bylaws say, “The principal office for the transaction of the business of shall be in the County of Los Angeles, State of California, United States of America. may also have an additional office or offices within or outside the United States of America as it may from time to time establish”.

[6] E.g., International Fertilizer and Development Center was designated as a public, nonprofit, international organisation by US Presidential Decree, granting it immunities under United States International Organisations Immunities Act . See https://archive.icann.org/en/psc/corell-24aug06.html

The transparency subgroup of ICANN’s Workstream 2 dialogue attempts to see how they could effectively improve the transparency and accountability of the organization. The main document under scrutiny at the moment is the draft Transparency Report published a few days before the 57th ICANN meeting in Hyderabad.

The report begins with an acknowledgement of the value of taking tips from the Right to Information policies of other institutions and governments. My colleague Padmini Baruah had earlier written a blog post comparing the exclusion policy of ICANN’s DIDP and the Indian Government’s RTI where she found that “the net cast by the DIDP exclusions policy is more vast than even than that of a democratic state’s transparency law.”[1] The WS2 report not only discusses the DIDP process, but also discusses ICANN’s proactive disclosures (with regard to lobbying etc) and whistleblower policies. This article focuses solely on the first.

As our earlier blog posts have mentioned, CIS sent in 28 DIDP requests over the last two years.  Our experience with DIDP has been less than satisfactory and we are pleased that DIDP reform was an important part of the discussions of this subgroup. The report proposes some concrete structural changes to the DIDP process but skirts around some of the more controversial ones.

The recommendation to make the process of submitting requests clearer is a good one. There are currently no instructions on the follow-up process or what ICANN requires of the requestors. The report also recommends capping any extension to the original 30-day limit to an additional 30 days. While this is good, we further recommend that ICANN stay in touch with the requestor in order to help them to the best of its ability. The correspondence should ideally not be limited to a notification that they require an extension. Any clarifications on the part of the requestor must be resolved by ICANN. We commend the report for pointing out that the status quo – where there is no outside limit for extension of time beyond the mandated 30 days – is problematic as it allows the ICANN staff to give lesser priority to responding to DIDP requests. We strongly suggest that extensions of time on responding to DIDP requests be restricted to a maximum of 7 days after the passing of the 30-day period, after which liability should be strictly imposed on ICANN in the form of an individual fine, analogous to India’s RTI policy.[2]

One of the major areas of focus for this report and for our earlier analysis was the problematic nature of the exclusions to the DIDP. I had written that the conditions were "numerous, vaguely worded and contain among them a broad range of information that should legitimately be in the public domain.”[3] This is echoed by the report which calls for a deletion of two clauses that we found most used in denying our requests for information.

The report also calls into question the subjective nature of the last condition which states that ICANN can deny information if they find requests “not reasonable, excessive or overly burdensome, not feasible, abusive or vexatious or made by a vexatious or querulous individual.” As seen from our blog posts, we are of the firm belief that such a subjective condition has no place in a robust information disclosure policy. Requiring the Ombudsman’s consent to invoke it is a good first step. In addition to that, we strongly encourage that objective guidelines which specify when a requestor is considered “vexatious” be drawn up and made public.

The most disappointing aspect of this report is that it does not delve into details about having an independent party dedicated to reviewing the DIDP process to address grievances. We believe that this must not be left to the Ombudsman who cannot devote all their time to this process. We are of the opinion that an independent party would also be able to more effectively oversee the tracking and periodic review of the DIDP mechanism.

In conclusion, we believe that this report is a good start but does not comprehensively answer all of our issues with the DIDP process as it is. We look forward to more engagement with the Transparency subgroup to close all loopholes within the DIDP process.

[1] Padmini Baruah, Peering behind the veil of ICANN’s DIDP, (September 21, 2015), available at http://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icann2019s-didp (Last visited on November 9, 2016).

[2] Section 20(1), Right to Information Act, 2005.

[3] Asvatha Babu, If the DIDP Did Its Job, (November 3, 2016), available at http://cis-india.org/internet-governance/blog/if-the-didp-did-its-job (Last Visited on November 9, 2016).

Download the Compilation (PDF)

Privacy after Big Data

Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.

These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.

These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.

Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.

Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.

In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.

Elonnai Hickok
Director - Internet Governance

The co-founder of DAKSH Society of India, Kishore Mandyam, opened the event with a thought-provoking presentation on the efficiency levels of the current legal system and the kinds of progress that can be brought about by technological reforms. Members of LegalDesk.com then presented their ideas and then introduced their newest white paper on Legal Digitalization, providing a brief overview of the study and summarizing the most relevant sections. The panel discussion then proceeded, moderated by Sanjay Khan Nagra, a policy expert at iSPIRT Foundation. He facilitated an insightful and conducive discussion around the advantages, disadvantages, risks and incentives of digitalizing the Indian legal system. On the discussion panel was Kishore Mandyam from DAKSH Society and Prabhuling K Navadgi, the Additional Solicitor General of India.

The objectives to the conference, as per its website, were to: (1) examine the current legal framework and the possibility of amendments in laws to facilitate digitalization of the system, (2) asses the potential of India Stack in digitalizing the legal system, (3) to identify statutes which require amendment, (4) identify the hurdles and roadblocks in the path towards digital reform of the legal ecosystem, and (5) suggest amendments to the act and potential areas of improvement. With those objectives in mind, this blog post intends to provide a brief overview of the main narratives shared in the conference and to identify some of the loopholes and unanswered questions that I was left with by the end.

Improved efficiency is the dominant narrative used to advocate for the digitalization of the Indian legal system. According to LegalDesk.com, the current Indian legal system relies mostly on paperwork, resulting in thousands of courts and over a million advocates accumulating lackhs of ongoing cases and an enormous pile of pending cases, mostly due to insufficient information. It is stated that the traditional methods of legal documentation, paperwork and court work must change through awareness, technology and pursuance by the government, as it needs to be implemented throughout the country. The key idea here is that digital transactions are faster and simplify the process of storing information. The ultimate desired outcome here, then, is increased efficiency and transparency.

One must question, however, if this narrative may be overly generous with the credit it gives to technology. IT systems, like many other manmade structures, are always bound to glitch and crash. It would be useful, then, to question whether the legal system is a department that can afford the complications that inevitably accompany a digital transformation. If portals or servers fail at critical times (i.e. when a person needs to confirm their trial date, submit a document before a deadline, or any other pressing procedures), the consequences may in fact outweigh the convenience brought about by overall digitalization. This is not to imply that the legal system cannot or should not undergo a digital transformation. Rather, it is to pose the question of whether the government will dedicate sufficient funds and expertise towards developing a resilient and reliable IT system for the courts. The conference was strongly centered on the concept that technology is always the way forward. This is a positive idea but one must pay special attention to the complications that may arise with the digitalization of a system that must function in a particularly time-sensitive manner – and to ensure that these complications can be managed efficiently and effectively should they arise. This then, requires more than a mere push for digitalization. Introducing new technological platforms is a positive step towards digitalization. However, there is a need for a detailed, government-authorized plan on how the judicial system will efficiently and smoothly undergo this digital transformation in a sustainable and resilient manner.

A presenter from LegalDesk.com mentioned Estonia’s model of complete digital governance as an example of successful digitalization: “If a small country like Estonia can do it, why can’t we?” While it is useful to draw examples and lessons from other countries, it is also crucial to recognize the contextual differences between countries. The presenter’s point was that Estonia is small in both size and population and has just recently gained independence in 1991—and has nonetheless been able to undergo technological reform and completely digitalize governance systems. India’s case is extremely different as one can logically argue that digital inclusion is more difficult to accomplish for large, spatially dispersed populations. Furthermore, the socioeconomic disparities in India, particularly in income and literacy, contribute to an immense digital divide that Estonia did not, to any comparable extent, face in order to digitalize governance over 1.3 million individuals. This is not to suggest that India cannot become a world leader in digital governance, or become comparable to Estonia. Rather, this is to highlight the importance of recognizing historical, political and sociocultural differences between countries when comparing governance models and digitalization processes. There is a need to indigenize digital reform strategies and platforms in India to cater to its unique context and vast diversity. This can be done by focusing on issues such as the language of digital governance, ensuring sufficient distribution of access to public digital platforms, and prioritizing the inclusion of all socioeconomic classes. I would argue that digitalization could come at a greater cost than benefit if it perpetuates the exclusion of the underprivileged members of society, especially from a system as critical as the judiciary. These topics were alarmingly overlooked in the conference.

The topic of privacy was also quite overlooked in the conference. As a step towards digital transformation, LegalDesk.com presented the new eNotary technology, which would be implemented by utilizing a combination of Adhaar based authentication, eSign, digilocker systems such as India Stack and video/audio recorded interviews. With the eNotary system, attestation, authentication and verification of legal instruments can be done remotely.  This is expected to make paperwork easier, faster and more secure, as individuals would log into digital platforms using their Adhaar numbers to perform their judiciary procedures. A member of the audience asked about privacy concerns associated with digitalizing the legal records or property ownership information of individuals. Kishore Mandyam, from DAKSH, answered confidently with a statement that privacy is not a pressing issue here. He asserted that privacy concerns are a western construct that we have adopted in urban parts of India but that is not a concern for the majority of locals. It is clear, however, from examples such as the United States’ predictive policing practices, that accumulating data regarding the legal affiliations of individuals can result in discriminatory practices if this data does not remain strictly confidential to protect the privacy rights of citizens. This is not to mention the other forms of discrimination that can arise from the accumulation of such data, such as the targeting of certain demographics by corporate marketing and credit scoring practices that rely on trends in big data. To keep citizens’ legal records and affairs out of these databases, a digital legal system must be securely encrypted and protected by rigid privacy policies. India may have a varying context that leads to different privacy concerns with regards to a digital legal system. In any case, special attention must be given to privacy and security rights of individuals as their Adhaar numbers become attached to all their online personal data, including their legal records and judicial affairs.

Regarding the proactive mandate, the IT Act and CERT-In Rules include the following areas where CERT-In is required to carry out proactive measures in the interests of cyber security:

1. Forecast and alert cyber security incidents (IT Act, 2000) & Predict and prevent cyber security incidents (CERT-In Rules, 2013)
2. Issue guidelines, advisories and vulnerability notes etc. relating to information security practices, procedures, prevention, response and reporting (IT Act, 2000)
3. Information Security Assurance (CERT-In Rules, 2013)

This article will track and analyse the CERT-In’s operations in each of these areas over the past twelve years, by analysing the information available on CERT-In’s website as well as other media in the public domain.

The analysis will be carried out using a mixed methodology. The basic quantitative analysis of the information available on the CERT-In’ website will be carried out in the form of simple comparatives of updates, bulletins and other forms of publicly available interaction and critical information dispersal on CERT-In’s website. The qualitative sections, on the other hand, will contain a comparative analysis of the content present in the technical documents of the CERT-In with the equivalent documentation (where present) of similar bodies in the USA and EU. Each section will then illustrate normative suggestions as to how CERT-In’s performance of that respective obligation can be improved to better serve its cyber security mandate.

Read the full article

The image is published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document.

The article was published by First Post on November 24, 2016.

At the time of writing, 90 percent of respondents expressed the feeling that the government's move was 'brilliant/nice'. However, one must look into the merits of the survey and its limitations to understand the true value and nature of the results of the survey.

The first step required in order to take the survey, is downloading the application itself, which forces the user to automatically grant access to Contacts, Phone and Storage functions of their phone. While there are ostensible reasons for these permissions, (sharing the data from within the application, storing downloaded information, etc.) unless the user is running Android 6.0 or above, the user doesn’t have a choice in giving these permissions. This leaves the application with the potential to collect the entire phone book of the user as as well as access any files stored on the user’s device. This is independent of the survey and provides a large scope for massive data collection from any user just choosing to install the application in the first place. It is easily possible to create a version of the application that carries out a vast majority of its current functions without these permissions and the government (along with the application developer) should endeavour to do so at the earliest. In the alternative, they should have a clear and distinct privacy policy that informs users of the data collection and its possible use.

The second major step required to take the survey is the long and tedious registration process, which requires all sorts of details with massive privacy implications. This includes the name, email ID, phone number, residency details, profession and interests, all of which are compulsory fields. Why all of these details are necessary to take a supposedly simple survey and what possible use this information can be put to by the government is both unclear and problematic. It is also possible to register using Google, Facebook, Twitter and other social networking sites where there is a varying standard of equally private and unnecessary information that is being collected by the application from these websites. There are no privacy notices or consent forms that govern this information collection nor is their any indication of how this information will be put to use beyond the scope of the survey. The generic, standard form privacy policy (less than 10 lines long) on the Narendra Modi website is hidden at the bottom of the application download page (not in the application itself) and leaves a lot to be desired to safeguard user interest.

Once the registration is complete, the user is presented with the survey, which has a total of 10 questions of 3 broad categories. 6 of these questions have multiple choice answers, 3 of them have a sliding rating meter and 1 question has general comments/suggestion page.  The article will now look at these categories and analyze the design of the questions, the extent of the choice they give to the users and finally if the survey has a coercive or limiting effect on the feedback that can be given by the user via the application regarding the demonetisation move.

Choice limiting multiple choice questions.

The first category of questions, the multiple choice questions (MCQ), have varying degree of choices that the user can select from. However, regardless of the extent of the choices, their exact nature is severely limiting and makes it almost impossible to express a truly negative opinion of the survey. This is done in two ways, first the explicit restriction of choices and second the more subtle negative colouring of responses by cleverly phrasing questions. An example of the explicit restriction of choices can be seen in Question No 7. “Demonetisation will bring  real estate, higher education, healthcare in common man’s reach” which has three options, “Completely Agree, Partially Agree and Can’t Say.” There is no option to disagree with the paradigm set by the question and neither is there an option for the user to further explain or elucidate upon the answer, if he/she choose Can’t Say as an option. This also means that there will be no answers that will have “No” as an answer to the fairly open ended question, which can have a myriad of responses. The same can be said for Question No. 6 regarding the demonetisation move’s effectiveness in curbing illegal activities to which, once again, “No” is not an answer, with “Don’t Know” being the best a user disagreeing can do with the survey question.

The second, more subtle aspect of the MCQ questions are questions that serve as bait to demand a positive answer, which can be used to later bolster the survey's results in a positive light. For example, Question No. 1 reads “Do you think Black Money exists in India” and Question No. 2 reads “Do you think the evil of Corruption & Black Money needs to be fought and eliminated?” both of which have simple “Yes” and “No” as the only two possible responses. These rhetorical questions, which demand a positive answer, provide almost no aspect for the user to subtly or explicitly disagree with motivating factor behind the demonetisation move. The placement of these questions and the lack of choice in responses that can be given to them leaves huge potential to tilt the survey results in the favour of the government’s move. For example, you can’t simultaneously agree that black money is a problem and think the demonetisation move is a bad idea, simply because you can’t express that view in a single question within the survey.

Positive bias driven multiple choice question.

The other two categories of questions do not suffer from the overt problems of encouraging positive bias that the MCQ questions do but leave a fair bit to be desired in their outlook towards individuals who disagree with the move. In the sliding rating meter questions, there are strong visual cues that hint that disagreeing with the demonetisation move is a negative, undesirable idea. They do so by using a large, danger red frown as the icon for Question No. 5 that asks for the survey takers opinion on the ban on old 500 and 1000 rupee notes. The same goes for Question No. 3 that deals with the general moves of the government to tackle black money. This makes any opinion or answer that disagrees with the validity of the move an answer that is portrayed in a negative light. Similarly, the general comments/suggestion section in Question No. 10 is the only place for anyone to express a negative or non-concurring opinion, which there is no way to measure statistically in the overall survey results and will mostly likely not be counted in the final survey results.

Visual cues.

All of the above points clearly show that the design of both the Narendra Modi mobile application and its survey have huge potential for coercing a biased viewpoint upon any  survey taker and ensure that it is almost possible to express a stark, negative opinion against the demonetisation move via the survey. This can and should be remedied by the government to allow for a more open, conducive and critical discourse to take place regarding the move among the public. It is only when such opinion is allowed to exist in the first place, that the government can understand, engage and respond to the various valid critiques of the move. The chilling effect that would take place in the current form of the survey would be counterproductive to the original intent behind its creation, which was to create a direct constructive feedback loop between the public and the government.

Backdrop: What is the Reconsideration Request Process?

The Reconsideration Request process has been laid down in Article IV, Section 2 of the

ICANN Bylaws. Some of the key aspects of this provision have been outlined below^[1],

• ICANN is obligated to institute a process by which a person ​materially affected ​by ICANN action/inaction can request review or reconsideration.

• To file this request, one must have been adversely affected by actions of the staff or the board that contradict ICANN’s policies, or actions of the Board taken up without the Board considering material information, or actions of the Board taken up by relying on false information.
• A separate Board Governance Committee was created with the specific mandate of reviewing Reconsideration requests, and conducting all the tasks related to the same.
• The Reconsideration Request must be made within 15 days of:
  • FOR CHALLENGES TO BOARD ACTION: the date on which information about the challenged Board action is first published in a resolution, unless the posting of the resolution is not accompanied by a rationale, in which case the request must be submitted within 15 days from the initial posting of the rationale;
  • FOR CHALLENGES TO STAFF ACTION: the date on which the party submitting the request became aware of, or reasonably should have become aware of, the challenged staff action, and
  • FOR CHALLENGES TO BOARD OR STAFF INACTION: the date on which the affected person reasonably concluded, or reasonably should have concluded, that action would not be taken in a timely manner

• .The Board Governance Committee is given the power to summarily dismiss a reconsideration request if:
  • the requestor fails to meet the requirements for bringing a Reconsideration Request;
  • it is frivolous, querulous or vexatious; or
  • the requestor had notice and opportunity to, but did not, participate in the public comment period relating to the contested action, if applicable

• If not summarily dismissed, the Board Governance Committee proceeds to review and reconsider.
• A requester may ask for an opportunity to be heard, and the decision of the Board Governance Committee in this regard is final.

• The basis of the Board Governance Committee’s action is public written record ­ information submitted by the requester, by third parties, and so on.
• The Board Governance Committee is to take a decision on the matter and make a final determination or recommendation to the Board within 30 days of the receipt of the Reconsideration request, unless it is impractical to do so, and it is accountable to the Board to make an explanation of the circumstances that caused the delay.
• The determination is to be made public and posted on the ICANN website.

ICANN has provided a neat infographic to explain this process in a simple fashion, and I am reproducing it here:

(Image taken from ​https://www.icann.org/resources/pages/accountability/reconsideration­en​)

Our Tryst with the Reconsideration Process

The Grievance
Our engagement with the Reconsideration process began with the rejection of two of our requests (made on September 1, 2015) under ICANN’s Documentary Information Disclosure Policy. The requests sought information about the registry and registrar compliance audit process that ICANN maintains, and asked for various documents pertaining to the same^[2]:

• Copies of the registry/registrar contractual compliance audit reports for all the audits carried out as well as external audit reports from the last year (2014­2015).
• A generic template of the notice served by ICANN before conducting such an audit.
• A list of the registrars/registries to whom such notices were served in the last year.
• An account of the expenditure incurred by ICANN in carrying out the audit process.
• A list of the registrars/registries that did not respond to the notice within a reasonable period of time.
• Reports of the site visits conducted by ICANN to ascertain compliance.
• Documents which identify the registries/registrars who had committed material discrepancies in the terms of the contract.
• Documents pertaining to the actions taken in the event that there was found to be some form of contractual non­compliance.
• A copy of the registrar self­assessment form which is to be submitted to ICANN.

ICANN integrated both the requests and addressed them via one response on 1 October, 2015 (which can be found ​here​). In their response, ICANN inundated us with already available links on their website explaining the compliance audit process, and the processes ancillary to it, as well as the broad goals of the programme ­ none of which was sought for by us in our request. ICANN then went on to provide us with information on their Three­Year Audit programme, and gave us access to some of the documents that we had sought, such as the pre­audit notification template, list of registries/registrars that received an audit notification, the expenditure incurred to some extent, and so on .

Individual contracted party reports were denied to us on the basis of their grounds for non­disclosure. Further, and more disturbingly, ICANN refused to provide us with the names of the contracted parties who had been found under the audit process to have committed discrepancies. Therefore, a large part of our understanding of the way in which the compliance audit process works remains unfinished.

What we did

Dissatisfied with this response, I went on to file a Reconsideration request (number 15­22) as per their standard format on November 2, 2015. (The request filed can be accessed ​here​).As grounds for reconsideration, I stated that “​As a part of my research I was tracking the ICANN compliance audit process, and therefore required access to audit reports in cases where discrepancies where formally found in their actions. This is in the public interest and therefore requires to be disclosed...While providing us with an array of detailed links explaining the compliance audit process, the ICANN staff has not been able to satisfy our actual requests with respect to gaining an understanding of how the compliance audits help in regulating actions of the registrars, and how they are effective in preventing breaches and discrepancies.​” Therefore, I requested them to make the records in question publicly available ­ “​We request ICANN to make the records in question, namely the audit reports for individual contracted parties that reflect discrepancies in contractual compliance, which have been formally recognised as a part of your enforcement process. We further request access to all documents that relate to the expenditure incurred by ICANN in the process, as we believe financial transparency is absolutely integral to the values that ICANN stands by.​”

The Board Governance Committee’s response³

The determination of the Board Governance Committee was that our claims did not merit reconsideration, as I was unable to identify any “​misapplication of policy or procedure by the ICANN Staff​”, and my only issue was with the substance of the DIDP Response itself, and substantial disagreements with a DIDP response are not proper bases for reconsideration

(emphasis supplied).

The response of the Board Governance Committee was educative of the ways in which they determine Reconsideration Requests. Analysing the DIDP process, it held that ICANN was well within its powers to deny information under its defined Conditions for Non­Disclosure, and denial of substantive information did not amount to a procedural violation. Therefore, since the staff adhered to established procedure under the DIDP, there was no basis for our grievance, and our request was dismissed..

Furthermore, as a post­script, it is interesting to note that the Board Governance Committee delayed its response time by over a month, by its own admission ­ “​In terms of the timing of the BGC’s recommendation, it notes that Section 2.16 of Article IV of the Bylaws provides that the BGC shall make a final determination or recommendation with respect to a reconsideration request within thirty days, unless impractical. To satisfy the thirty­day deadline, the BGC would have to have acted by 2 December 2015. However, due to the timing of the BGC’s meetings in November and December, the first practical opportunity for the BGC to consider Request 15­22 was 13 January 2016.​”⁴

Whither do I wander now?

To me, this entire process reflected the absurdity of the Reconsideration request structure as an appeal mechanism under the Documentary Information Disclosure Policy. As our experience indicated, there does not seem to be any way out if there is an issue with the substance of ICANN’s response. ICANN, commendably, is particular about following procedure with respect to the DIDP. However, what is the way forward for a party aggrieved by the flaws in the existing policy? As I had ​analysed earlier​, the grounds for ICANN to not disclose information are vast, and used to deny a large chunk of the information requests that they receive. How is the hapless requester to file a meaningful appeal against the outcome of a bad policy, if the only ground for appeal is non­compliance with the procedure of said bad policy? This is a serious challenge to transparency as there is no other way for a requester to acquire information that ICANN may choose to withold under one of its myriad clauses. It cannot be denied that a good information disclosure law ought to balance the free  disclosure of information with the holding back of information that truly needs to be kept private.^[3][4] However, it is this writer’s firm opinion that even instances where information is witheld, there has to be a stronger explanation for the same, and moreover, an appeals process that does not take into account substantive issues which might adversely affect the appellant falls short of the desirable levels of transparency. Global standards dictate that grounds for appeal need to be broad, so that all failures to apply the information disclosure law/policy may be remedied.⁶ Various laws across the world relating to information disclosure often have the following as grounds for appeal: an inability to lodge a request, failure to respond to a request within the set time frame, a refusal to disclose information, in whole or in part, excessive fees and not providing information in the form sought, as well as a catch­all clause for other failures.⁷

Furthermore, independent oversight is the heart of a proper appeal mechanism in such situations^[5]; the power to decide the appeal must not rest with those who also have the discretion to disclose the information, as is clearly the case with ICANN, where the Board Governance Committee is constituted and appointed by the ICANN Board itself [one of the bodies against whom a grievance may be raised].

Suggestions

We believe ICANN, in keeping with its global, multistakeholder, accountable spirit, should adopt these standards as well, especially now that the transition looms around the corner. Only then will the standards of open, transparent and accountable governance of the Internet ­ upheld by ICANN itself as the ideal ­ be truly, meaningfully realised. Accordingly, the following standards ought to be met with:

1. Establishment of an independent appeals authority for information disclosure cases
2. Broader grounds for appeal of DIDP requests
3. Inclusion of disagreement with the substantive content of a DIDP response as a ground for appeal.
4. Provision of proper reasoning for any justification of the witholding of information that is necessary in the public interest.

[1] Article IV, Section 2, ICANN Bylaws, 2014 ​available at https://www.icann.org/resources/pages/governance/bylaws­en/#IV

[2] Copies of the request can be found ​ ​here​ and ​here​.

[3] Katherine Chekouras, ​Balancing National Security with a Community's Right­to­Know: Maintaining

Public Access to Environmental Information Through EPCRA 's Non­Preemption Clause​, 34 B.C. Envtl. Aff. L. Rev 107, (2007).

[4] Toby Mendel, Freedom of Information: A Comparative Legal Study​ ​ 151 (2nd edn, 2008).

​Id​, at 152

³4 Available ​here​. https://www.icann.org/en/system/files/files/reconsideration­15­22­cis­final­determination­13jan16­en.pdf

[5] Mendel, ​supra ​note 6.

View the PDF

Name of the Commentator/ Organisation: The Centre for Internet and Society, India^[1]

PRELIMINARY

1. This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the ​Smart Cities - Indicators (dated 30 September 2016), released by the Bureau of Indian Standards (“BIS”).
2. CIS is thankful for the opportunity to put forth its views.
3. This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

ABOUT CIS

1. CIS is a non-​profit organisation^[2] that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.​
2. CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

III. Comments

[1] This submission is authored, in alphabetical order, by Elonnai Hickok (​[email protected]​), Rohini Lakshané (​[email protected]​) and Udbhav Tiwari (​[email protected]​) on behalf of the Centre for Internet and Society, India.

[2] See The Centre for Internet and Society,available at http://cis​india.org for details of the organization, and our work.

Download the Paper (PDF, 277 kb)

Introduction

Defining big data is a disputed area in the field of computer science^[1], there is some consensus on a basic structure to its definition^[2]. Big data is data that is collected in the form of datasets that has three main criteria: size, variety & velocity, all of which operate at an immense scale^[3]. It is ‘big’ in size, often running into petabytes of information, has vast variety within its components, and is created, captured and analysed at an incredibly rapid velocity. All of this also makes big data difficult to handle using traditional technological tools and techniques.

This paper will attempt to perform a high-level literature review of the most commonly used technological tools and processes in the big data life cycle. The big data life cycle is a conceptual construct that can be used to study the various stages that typically occur in collecting, storing and analysing big data, along with the principles that can govern these processes. The big data life cycle consists of four components, which will also be the key structural points of the paper, namely: Data Acquisition, Data Awareness, Data Analytics & Data Governance.⁴ The paper will focus on the aspects that the author believes are relevant for analysing the technological impact of big data on both technology itself and society at large.

Scope: The scope of the paper is to study the technology used in big data using the "Life Cycle of Big Data" as model structure to categorise & study the vast range of technologies that are involved in big data. However, the paper will be limited to the study of technology related directly to the big data life cycle. It shall specifically exclude the use/utilisation of big data from its scope since big data is most often being fed into other, unrelated technologies for consumption leading to rather limitless possibilities.

Goal: Goal of the paper is twofold: a.) to use the available literature on the technological aspects of big data, to perform a brief overview of the technology in the field and b.) to frame the relevant research questions for studying the technology of big data and its possible impact on society.

Data Acquisition

Acquiring big data has two main sub components to it, the first being sensing the existence of the data’ itself and the second, the stage of collecting and storing this data. Both of these subcomponents are incredibly diverse fields, with lots of rapid change occurring in the technology utilised to carry out these tasks. The section will provide a brief overview of the subcomponents and then discuss the technology used to fulfil the tasks.

Data Sensing

Data does not exist in a vacuum and is always created as a part of a larger process, especially in the aspect of modern technology. Therefore, the source of the data itself plays a vital role in determining how it can be captured and analysed in the larger scheme of things. Entities constantly emit information into the environment that can be utilised for the purposes of big data, leading to two main kinds of data: data that is “born digital” or “born analogue.”^[4]

Born Digital Data

Information that is “born digital,” is created, by a user or by a digital system, specifically for use by a computer or data‐processing system. This is a vast range of information and newer fields are being added to this category on a daily basis. It includes, as a short, indicative list: email and text messaging, any form of digital input, including keyboards, mouse interactions and touch screens, GPS location data, data from daily home appliances (Internet of Things), etc. All of this data can be tracked and tagged to users as well as be aggregated to form a larger picture, massively increasing the scope of what may constitute the ‘data’ in big data.

Some indicative uses of how such born digital data is catalogued by technological solutions on the user side, prior to being sent for collection/storage are:

a.) Cookies - There are small, often just text, files that are left on user devices by websites in order to that visit, task or action (for example, logging into an email account) with a subsequent event.^[5] (for example, revisiting the website)

b.) Website Analytics^[6] - Various services, such as Google Analytics, Piwik, etc., can use JavaScript and other web development languages to record a very detailed, intimate track of a user's actions on a website, including how long a user hovers above a link, the time spent on the website/application and in some cases, even the time spent specific aspects of the page.

c.) GPS^[7] - With the almost pervasive usage of smartphones with basic location capabilities, GPS sensors on these devices are used to provide regular, minute driven updates to applications, operating systems and even third parties about the user's location. Modern variations such as A-GPS can be used to provide basic positioning information even without satellite coverage, vastly expanding the indoor capabilities of location collection.

All of these instances of sensing born digital data are common terms, used in daily parlance by billions of people from all over the world, which is a symbolic of just how deeply they have pervaded into our daily lifestyle. Apart from privacy & security concerns this in turn also leads to an exponential increase in the data available to collect for any interested party.

Sensor Data

Information is said to be  “analogue” when it contains characteristics of the physical world, such as images, video, heartbeats, etc.  Such information becomes electronic when processed by a “sensor,” a device that can record physical phenomena and convert it into digital information. Some examples to better illustrate information that is born analogue but collected via digital means are:

a.) Voice and/or video content on devices - Apart from phone calls and other forms communication, video and voice based interactions have started to regularly be captured to provide enhanced services. These include Google Now^[8], Cortana^[9] and other digital assistants as well as voice guided navigation systems in cars, etc.

b.) Personal health data such as heartbeats, blood pressure, respiration, velocity, etc. - This personal, potentially very powerful information is collected by dedicated sensors on devices such as Fitbit^[10], Mi Band^[11], etc. as well as by increasingly sophisticated smartphone applications such as Google Fit that can do so without any special device.

c.) Camera on Home Appliances - Cameras and sensors on devices such as video game consoles (Kinect^[12] being a relevant example) can record detailed human interactions, which can be mined for vast amounts of information apart from carrying out the basic interactions with the devices itself.

While not as vast a category as born digital data, the increasingly lower costs of technology and ubiquitous usage of digital, networked devices is leading to information that was traditionally analogue in nature to be captured for use at a rapidly increasing rate.

Data Collection & Storage

Traditional data was normally processed using the Extract, Transform, Load (ETL) methodology, which was used to collect the data from outside sources, modify the data to fit needs, and then upload the data into the data storage system for future use.^[13] Technology such as spreadsheets, RDBMS databases, Structured Query Languages (SQL), etc. were all initially used to carry out these tasks, more often than not manually. ^[14]

However, for big data, the methodology traditionally followed is both inefficient and insufficient to meet the demands of modern use. Therefore, the Magnetic, Agile, Deep (MAD) process is used to collect and store data^[15][16]. The needs and benefits of such a system are: attracting all the data sources regardless of their quality (magnetic), logical and physical contents of storage systems adapting to the rapid data evolution in big data (agile) and complex algorithmic statistical analysis required of big data on a very short notice^[17]. (deep)

The technology used to perform data storage using the MAD process requires vast amount of processing power, which is very difficult to create in a single, physical space/unit for nonstate or research entities, who cannot afford supercomputers. Therefore, most solutions used in big data rely on two major components to store data: distributed systems and Massive Parallel Processing^[18] (MPP) that run on non-relational (in-memory) database systems. Database performance and reliability is traditionally gauged using pure performance metrics (FLOPS per second, etc.) as well as the Atomicity, consistency, isolation, durability (ACID) criteria.^[19] The most commonly used database systems for big data applications are given below. The specific operational qualities and performance of each of these databases is beyond the scope of this review but the common criteria that makes them well suited for big data storage have been delineated below.

Non-relational databases

Databases traditionally used to be structured entities that operated solely on the ability to correlate information stored in them using explicitly defined relationships. Even prior to the advent of big data, this outlook was turning out to be a limiting factor in how large amounts of stored information could be leveraged, this led to the evolution of non relational database systems. Before going into them in detail, a basic primer on their data transfer protocols will be helpful in understanding their operation.

A protocol is a model that structures instructions in a particular manner so that it can be reproduced from one system to another^[20][21]. The protocols which govern technology in the case of big data have gone through many stages of evolution, starting off with simple HTML based systems^[22], which then evolved to XML driven SOAP systems^[23], which led to JavaScript Object Notation, or JSON^[24], the currently used form for in most big database systems. JSON is an open format used to transfer data objects, using human-readable text and is the basis for most of the commonly used non-relational database management systems. Examples of Non-relational databases also known as NoSQL databases, include MongoDB^[25], Couchbase^[26], etc. They were developed for both managing as well as storing unstructured data. They aim for scaling, flexibility, and simplified development. Such databases rather focus on the high-performance scalable data storage, and allow tasks to be written in the application layer instead of databases specific languages, allowing for greater interoperability.^[27]

In-Memory Databases

In order to overcome performance limitation of traditional database systems, some modern databases now use in-memory databases. These systems manage the data in the RAM memory of the server, thus eliminating storage disk input/output. This allows for almost realtime responses from the database, in comparisons to minutes or hours required on traditional database systems. This improvement in the performance is so massive that, entirely new applications are being developed for using IMDB systems.^[28] These IMDB systems are also being used for advanced analytics on big data, especially to increase the access speed to data and increase the scoring rate of analytic models for analysis.^[29] Examples of IMDB include VoltDB^[30], NuoDB^[31], SolidDB^[32] and Apache Spark^[33].

Hybrid Systems

These are the two major systems used to store data prior to it being processed or analysed in a big data application. However, the divide between data storage and data management is a slim one and most database systems also contain various unique attributes that cater them to specific kinds of analysis. (as can be seen from the IMDB example above) One example of a very commonly used Hybrid system that deals with storage as well as awareness of the data is Apache Hadoop³³, which is detailed below.

Apache Hadoop

Hadoop consists of two main components: the HDFS for the big data storage, and MapReduce for big data analytics, each of which will be detailed in their respective section.

1. The HDFS^[34][35] storage function in Hadoop provides a reliable distributed file system, stored across multiple systems for processing & redundancy reasons. The file system is optimized for large files, as single files are split into blocks and spread across systems known as cluster nodes.^[36] Additionally, the data is protected among the nodes by a replication mechanism, which ensures availability even if any node fails. Further, there are two types of nodes: Data Nodes and Name Nodes.^[37] Data is stored in the form of file blocks across the multiple Data Nodes while the Name Node acts as an intermediary between the client and the Data Node, where it directs the requesting client to the particular Data Node which contains the requested data.

This operating structure for storing data also has various variations within Hadoop such as HBase for key/value pair type queries (a NoSQL based system), Hive for relational type queries, etc. Hadoop’s redundancy, speed, ability to run on commodity hardware, industry support and rapid pace of development have led to it being almost co-equivalently associated with big data.^[38]

Data Awareness

Data Awareness, in the context of big data, is the task of creating a scheme of relationships within a set of data, to allow different users of the data to determine a fluid yet valid context and utilise it for their desired tasks.^[39] It is a relatively new field, in which most of the work is currently being done on semantic structures to allow data to gain context in an interoperable format, in contrast to the current system where data is given context using unique, model specific constructs.^[40] (such as XML Schemes, etc.)

Some of the original work on this field was carried out in the form of utilising the Resource Description Framework (RDF), which was built primarily to allow describing of data in a portable manner, especially being agnostic towards platforms and systems for Semantic Web at the W3C. SPARQL is the language used to implement RDF based designs but both largely remain underutilised in both the public domain as well as big data. Authors such as Kurt

Cagle^[41] and Bob DuCharme^[42] predict its explosion in the next couple of years. Companies have also started realising the value of interoperable context, with Oracle Spatial^[43] and IBM’s DB2^[44] already including RDF and SPARQL support in the past 3 years.

While underutilised, the rapid developments taking place in the field will make the impact that data awareness may have on big data as big as Hadoop and maybe even SQL. Some aspects of it are already beginning to be used in Artificial Intelligence, Natural Language Processing, etc. with tremendous scope for development.^[45]

Data Processing & Analytics

Data Processing largely has three primary goals: a. determines if the data collected is internally consistent; b. make the data meaningful to other systems or users using either metaphors or analogy they can understand; and (what many consider most importantly) provide predictions about future events and behaviours based upon past data and trends.^[46]

Being a very vast field with rapidly changing technologies governing its operation, this section will largely concentrate on the most commonly used technologies in data analytics.

Data analytics requires four primary conditions to be met in order to carry out effective processing: fast, data loading, fast query processing, efficient utilisation of storage and adaptivity to dynamic workload patterns. The analytical model most commonly associated with meeting this criteria and with big data in general is MapReduce, detailed below. There are other, more niche models and algorithms (such as Project Voldemort^[47] used by LinkedIn), which are used in big data but they are beyond the scope of the review, and more information about them can be read at article linked in the previous citation. (Reference architecture and classification of technologies, products and services for big data system)

MapReduce

MapReduce is a generic parallel programming concept, derived from the “Map” and “Reduce” of functional programming languages, which makes it particularly suited for big data operations. It is at the core of Hadoop^[48], and performs the data processing and analytics functions in other big data systems as well.^[49] The fundamental premise of MapReduce is scaling out rather than scaling up, i.e., (adding more numerical resources, rather than increasing the power of a single system)^[50]

MapReduce operates by breaking a task down into steps and executing the steps in parallel, across many systems. This comes with two advantages, a reduction in the time needed to finish the task and also a decrease in the amount of resources one has to expend to perform the task, in both power and energy. This model makes it ideally suited for the large data sets and quick response times required of big data operations generally.

The first step of a MapReduce job is to correlate the input values to a set of keys/value pairs as output. The “Map” function then partitions the processing tasks into smaller tasks, and assigns them to the appropriate key/value pairs.^[51] This allows unstructured data, such as plain text, to be mapped to a structured key/value pair. As an example, the key could be the punctuation in a sentence and the value of the pair could be the number of occurrences of the punctuation overall. This output of the Map function is then passed on “Reduce” function.^[52] Reduce then collects and combines this output, using identical key/value pairs, to provide the final result of the task.^[53] These steps are carried using the Job Tracker & Task Tracker in Hadoop but different systems have different methodologies to carry out similar tasks.

Data Governance

Data Governance is the act of managing raw big data as well as the processed information that arises from big data in order to meet legal, regulatory and business imposed requirements. While there is no standardized format for data governance, there have been increasing call with various sectors (especially healthcare) to create such a format to ensure reliable, secure and consistent big data utilisation across the board. The following tactics and techniques have been utilised or suggested for data governance, with varying degrees of success:

1. Zero-knowledge systems: This technological proposal maintains secrecy with respect to the low-level data while allowing encrypted data to be examined for certain higherlevel abstractions.^[54] For the system to be zero-knowledge, the client’s system will have to encrypt the data and send it to the storage provider. Due to this, the provider stores the data in the encrypted format and cannot decipher the same unless he/she is in possession of the key which will decrypt the data into plaintext. This allows the individual to store his data with a storage provider while also maintaining anonymity of the details contained in such information. However, these are currently just beginning to be used in simple situations. As of now, they are not expandable to unstructured and complex cases and have to be developed marginally before they can be used for research and data mining purposes.
2. Homomorphic encryption: Homomorphic encryption is a privacy preserving technique which performs searches and other computations over data that is encrypted while also protecting the individual’s privacy.^[55] This technique has however been considered to be impractical and is deemed to be an unlikely policy alternative for near future purposes in the context of preserving privacy in the age of big data.^[56]
3. Multi-party computation: In this technique, computation is done on encrypted distributed data stores.^[57] This mechanism is closely related to homomorphic encryption where individual data is kept private using encryption algorithms called “collusion-robust” while the same is used to calculate statistics.^[58] The parties involved are aware of some private data and each of them use a protocol which produces results based on the information they are aware of and the information they are not aware of, without revealing the data they are not already aware of.^[59] Multi-party computations thus help in generating useful data for statistical and research purposes without compromising the privacy of the individuals.

1. Differential Privacy: Although this technological development is related to encryption, it follows a different technique. Differential privacy aims at maximizing the precision of computations and database queries while reducing the identifiability of the data owners who have records in the database, usually through obfuscation of query results.^[60] This is widely applied today in the existence of big data in order to ensure preservation of privacy while trying to reap the benefits of large scale data collection.^[61]
2. Searchable encryption: Through this mechanism, the data subject can make certain data searchable while minimizing exposure and maximizing privacy.^[62] The data owner can make his information available through search engines by providing the data in an encrypted format but by adding tags consisting of certain keywords which can be deciphered by the search engine. This encrypted data shows up in the search results when searched with these particular keywords but can only be read when the person is in possession of the key which is required for decrypting the information.

This technique of encryption provides maximum security to the individual’s data and preserves privacy to the greatest possible extent.

1. K-anonymity: The property of k-anonymity is being applied in the present day in order to preserve privacy and avoid re-identification.^[63] A certain data set is said to possess the property of k-anonymity if individual specific data can be released and used for various purposes without re-identification. The analysis of the data should be carried out without attributing the data to the individual to whom it belongs and should give scientific guarantees for the same.
2. Identity Management Systems: These systems enable the individuals to establish and safeguard their identities, explain those identities with the help of attributes, follow the activity of their identities and also delete their identities if they wish to.^[64] It uses cryptographic schemes and protocols to make anonymous or pseudonymous the identities and credentials of the individuals before analysing the data.
3. Privacy Preserving Data Publishing: This is a method in which the analysts are provided with the individual’s personal information with the ability to decipher particular information from the database while preventing the inference of certain other information which might lead to a breach of privacy.^[65] Data which is essential for the analysis will be provided for processing while sensitive data will not be disclosed. This tool primarily focuses on microdata.
4. Privacy Preserving Data Mining: This mechanism uses perturbation methods and randomization along with cryptography in order to permit data mining on a filtered version of the data which does not contain any form of sensitive information. PPDM focuses on data mining results unlike PPDP.^[66]

Conclusion

Studying the technology surrounding big data has led to two major observations: the rapid pace of development in the industry and the stark lack of industry standards or government regulations directed towards big data technologies. These observations have been the primary motivating factor for framing further research in the field. Understanding how to deal with big data technologically, rather than just the potential regulation of possible harms after the technological processes have been performed might be critical for the human rights dialogue as these processes become even more extensive, opaque and technologically complicated.

[1] EMC: Data Science and Big Data Analytics. In: EMC Education Services, pp. 1–508 (2012)

[2] Bakshi, K.: Considerations for Big Data: Architecture and Approaches. In: Proceedings of the IEEE Aerospace Conference, pp. 1–7 (2012)

[3] Adams, M.N.: Perspectives on Data Mining. International Journal of Market Research 52(1), 11–19 (2010) ⁴ Elgendy, N.: Big Data Analytics in Support of the Decision Making Process. MSc Thesis, German University in Cairo, p. 164 (2013)

[4] Big Data and Privacy: A Technological Perspective - President’s            Council of Advisors on Science and

Technology (May 2014)

[5] Chen, Hsinchun, Roger HL Chiang, and Veda C. Storey. "Business Intelligence and Analytics: From Big Data to Big Impact." MIS quarterly 36.4 (2012): 1165-1188.

[6] Chandramouli, Badrish, Jonathan Goldstein, and Songyun Duan. "Temporal analytics on big data for web advertising." 2012 IEEE 28th international conference on data engineering. IEEE, 2012.

[7] Laurila, Juha K., et al. "The mobile data challenge: Big data for mobile computing research." Pervasive Computing. No. EPFL-CONF-192489. 2012.

[8] Lazer, David, et al. "The parable of Google flu: traps in big data analysis." Science 343.6176 (2014): 12031205.

[9] ibid

[10] Banaee, Hadi, Mobyen Uddin Ahmed, and Amy Loutfi. "Data mining for wearable sensors in health monitoring systems: a review of recent trends and challenges." Sensors 13.12 (2013): 17472-17500.

[11] ibid

[12] Chung, Eric S., John D. Davis, and Jaewon Lee. "Linqits: Big data on little clients." ACM SIGARCH Computer Architecture News. Vol. 41. No. 3. ACM, 2013.

[13] Kornelson, Kevin Paul, et al. "Method and system for developing extract transform load systems for data warehouses." U.S. Patent No. 7,139,779. 21 Nov. 2006.

[14] Henry, Scott, et al. "Engineering trade study: extract, transform, load tools for data migration." 2005 IEEE Design Symposium, Systems and Information Engineering. IEEE, 2005.

[15] Cohen, Jeffrey, et al. "MAD skills: new analysis practices for big data." Proceedings of the VLDB Endowment

[16] .2 (2009): 1481-1492.

[17] Elgendy, Nada, and Ahmed Elragal. "Big data analytics: a literature review paper." Industrial Conference on Data Mining. Springer International Publishing, 2014.

[18] Wu, Xindong, et al. "Data mining with big data." IEEE transactions on knowledge and data engineering 26.1 (2014): 97-107.

[19] Supra Note 17

[20] Hu, Han, et al. "Toward scalable systems for big data analytics: A technology tutorial." IEEE Access 2 (2014):

[21] -687.

[22] Kurt Cagle, Understanding the Big Data Lifecycle - LinkedIn Pulse (2015)

[23] Coyle, Frank P. XML, Web services, and the data revolution. Addison-Wesley Longman Publishing Co., Inc., 2002.

[24] Pautasso, Cesare, Olaf Zimmermann, and Frank Leymann. "Restful web services vs. big'web services: making the right architectural decision." Proceedings of the 17th international conference on World Wide Web. ACM, 2008.

[25] Banker, Kyle. MongoDB in action. Manning Publications Co., 2011

[26] McCreary, Dan, and Ann Kelly. "Making sense of NoSQL." Shelter Island: Manning (2014): 19-20.

[27] ibid

[28] Zhang, Hao, et al. "In-memory big data management and processing: A survey." IEEE Transactions on Knowledge and Data Engineering 27.7 (2015): 1920-1948.

[29] ibid

[30] ibid

[31] Supra Note 20

[32] Ballard, Chuck, et al. IBM solidDB: Delivering Data with Extreme Speed. IBM Redbooks, 2011.

[33] Shanahan, James G., and Laing Dai. "Large scale distributed data science using apache spark." Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2015. ³³ Shvachko, Konstantin, et al. "The hadoop distributed file system." 2010 IEEE 26th symposium on mass storage systems and technologies (MSST). IEEE, 2010.

[34] Borthakur, Dhruba. "The hadoop distributed file system: Architecture and design." Hadoop Project Website

[35] .2007 (2007): 21.

[36] ibid

[37] ibid

[38] Zikopoulos, Paul, and Chris Eaton. Understanding big data: Analytics for enterprise class hadoop and streaming data. McGraw-Hill Osborne Media, 2011.

[39] Bizer, Christian, et al. "The meaningful use of big data: four perspectives--four challenges." ACM SIGMOD Record 40.4 (2012): 56-60.

[40] Kaisler, Stephen, et al. "Big data: issues and challenges moving forward." System Sciences (HICSS), 2013 46th Hawaii International Conference on. IEEE, 2013.

[41] Supra Note 21

[42] DuCharme, Bob. "What Do RDF and SPARQL bring to Big Data Projects?." Big Data 1.1 (2013): 38-41.

[43] Zhong, Yunqin, et al. "Towards parallel spatial query processing for big spatial data." Parallel and

Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International. IEEE, 2012.

[44] Ma, Li, et al. "Effective and efficient semantic web data management over DB2." Proceedings of the 2008 ACM SIGMOD international conference on Management of data. ACM, 2008.

[45] Lohr, Steve. "The age of big data." New York Times 11 (2012).

[46] Pääkkönen, Pekka, and Daniel Pakkala. "Reference architecture and classification of technologies, products and services for big data systems." Big Data Research 2.4 (2015): 166-186.

[47] Sumbaly, Roshan, et al. "Serving large-scale batch computed data with project voldemort." Proceedings of the 10th USENIX conference on File and Storage Technologies. USENIX Association, 2012.

[48] Bar-Sinai, Michael. "Big Data Technology Literature Review." arXiv preprint arXiv:1506.08978 (2015).

[49] ibid

[50] Condie, Tyson, et al. "MapReduce Online." Nsdi. Vol. 10. No. 4. 2010.

[51] Supra Note 47

[52] Dean, Jeffrey, and Sanjay Ghemawat. "MapReduce: a flexible data processing tool." Communications of the ACM 53.1 (2010): 72-77.

[53] ibid

[54] Big Data         and      Privacy:           A    Technological Perspective,                 White               House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[55] Tene, Omer, and Jules Polonetsky. "Big data for all: Privacy and user control in the age of analytics." Nw. J. Tech. & Intell. Prop. 11 (2012): xxvii.

[56] Big Data         and      Privacy:           A    Technological Perspective,                 White               House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[57] Privacy by design in big data, ENISA

[58] Big Data         and      Privacy:           A    Technological Perspective,                 White               House,

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy__may_2014

[59] Id

[60] Id

[61] Tene, Omer, and Jules Polonetsky. "Privacy in the age of big data: a time for big decisions." Stanford Law Review Online 64 (2012): 63.

[62] Lane, Julia, et al., eds. Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press, 2014.

[63] Crawford, Kate, and Jason Schultz. "Big data and due process: Toward a framework to redress predictive privacy harms." BCL Rev. 55 (2014): 93.

[64] http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[65] Seda Gurses and George Danezis, A critical review of 10 years of privacy technology, August 12th 2010, http://homes.esat.kuleuven.be/~sguerses/papers/DanezisGuersesSurveillancePets2010.pdf

[66] Id

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

Fixed

1. The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
2. A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
3. Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

Also read:

• Narendra Modi app hacked by youngster, points out risk to 7 million users’ data (New Indian Express; December 2, 2016)
• Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people (India Today; December 2, 2016)
• The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse (The Wire; December 3, 2016)

Download (PDF)

Contents

1. Introduction

2. Global Scenario

3. Overview of Public Wi-Fi in India

4. Indian Policy and Legal Conundrum

5. Public Wi-Fi and Privacy Concerns

5.1. Data Theft

5.2. Tracking an Individual

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

5.4. Illegal Use of Data

6. Ranking Digital Rights Project

6.1. D-VoIS, Bangalore

6.2. Tata Docomo, Bangalore

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

8. Conclusion and Recommendations

8.1. Commitment

8.2. Freedom of Expression

8.3. Privacy

1. Introduction

Recognizing internet as a critical tool for day-to-day work and facilitating increased access to it in the past few years,^[1] the Indian Government as well as Governments across the world have rolled out plans for offering public Wi-Fi. However, privacy risks of using public Wi-Fi have also been flagged across jurisdictions, which will be discussed in this paper. Apart from highlighting key privacy concerns associated with the use of free public Wi-Fi, this case study aims to analyse the privacy policies of two of the Internet Service Providers in India-namely Tata Docomo^[2] and D-VoiS^[3], which offer public Wi-Fi services in Bangalore city against the indicators listed under the Ranking Digital Rights project^[4], as well as the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011^[5]. Based on this analysis, this paper shall list key recommendations to these ISPs to ensure sound privacy policies and practices with a view to have a balanced framework and ecosystem in light of key privacy considerations, especially in light of public Wi-Fi.

2. Global Scenario

Security and privacy concerns around the use of free and public Wi-Fi have been raised in India^[6] as well as across the globe. In various cities like Bangalore, Delhi, Hyderabad, New York, London, Paris, etc., privacy experts have raised concerns over the public Wi-Fi systems at metro stations, malls, payphones and other such public places.^[7]

For many years, New York City has been in the process of developing a “free” public Wi-Fi project called LinkNYC^[8] to bring wireless Internet access to the residents of the city. However, privacy concerns have been raised by the users and privacy advocates like the New York Civil Liberties Union, where the latter also issued a letter to the Mayor's office regarding this^[9] as the collection of potentially sensitive personal, locational and behavioral data, without adequate safeguards could result in sharing of such data without the data subject’s consent or knowledge. For example, one of the concerns raised has been regarding retention of user's data by CityBridge, the company behind the LinkNYC kiosks, often indefinitely,  for building a massive database which carries a risk of security breaches and unwarranted surveillance by the police. ^[10] Also, users are concerned that their internet browsing history may reveal sensitive information about their political views, religious affiliations or medical issues^[11], since registration is required to use LinkNYC by submitting their email addresses and by agreeing to allow CityBridge to collect information about the websites they visit, the duration for which they linger on certain information on a webpage and the links they click on. On the contrary, the privacy policy of CityBridge states that this massive amount of personally identifiable user information would be cleared only if there have been 12 months of user inactivity, raising an alarm in light of privacy concerns.^[12]

In the year 2015, the Information Commissioner’s Office (ICO) conducted a review of public Wi-Fi services on a UK high street, where it was found that the Wi-Fi networks requested for varying levels of personal data, which was also processed for marketing purposes. The results highlighted that while some networks did not request any personal data, others asked for varying amounts, including information regarding name, postal and email address, mobile number, gender, as well as asking for a date of birth as a mandatory requirement (except for gender). During the sign-up process, though some Wi-Fi networks provided users with the choice to opt-in or opt-out for receiving electronic newsletters and updates, others offered no choice at all.^[13] As a result of the review process, the ICO notified Wi-Fi network providers that it had reviewed and advised them of improvements that they could make to their service and issued guidance^[14] regarding the dangers of using public Wi-Fi^[15]. ICO also recommended users to take time to read all the information given by providers of Wi-Fi services before connecting.

In 2006, the European Data Retention Directive 2006/24/EC^[16] was introduced for the retention of communications data by providers of public electronic communications services for national security. The Directive provides an obligation for providers of publicly available electronic communications services and public communications networks to retain traffic and location data for the purpose of the investigation, detection, and prosecution of serious crime.^[17] Also, the Data Retention (EC Directive) Regulations 2009^[18] were introduced to implement the Directive in the UK. However, this was challenged on grounds of insufficient safeguards for the privacy rights of individuals, given the substantial interference which it facilitated with those rights.^[19]

To ensure protection of user’s data and information, the Data Protection Act 1998^[20] in UK obliges businesses retaining people’s data to comply with the law, which involves informing people about what data is being collected and ensure that the data is stored securely.^[21] . Therefore, in case of ISP’s providing public Wi-Fi service, this would relate to the information people provide when they log on, such as their email address. Under the Act, the data protection principles must be complied with by the data controllers and it needs to be ensured that the information is used fairly and lawfully, for limited and stated purposes, used in a way that is adequate, relevant and not excessive, kept for no longer than is absolutely necessary, handled according to people’s data protection rights, kept safe and secure and not transferred outside the European Economic Area without adequate protection.^[22] This would soon be updated and synced with the European Union’s General Data Protection Directive (GDPR).

3. Overview of Public Wi-Fi in India

In India, the public Wi-Fi in some cases has been offered free for a limited duration, in several cities across the country. For example, in 2014, Bangalore became the first city in the country to establish free public Wi-Fi- Namma Wi-Fi (802.11N) to make Bangalore a smart and connected city. The service is offered at MG Road, Brigade Road and four other locations in Bangalore including Traffic and Transit Management Centres (TTMCs) at Shanthinagar, Yeshwanthpur, Koramangala and CMH Road in Indiranagar.^[23] The internet and Wi-Fi service provider for Namma Wi-Fi is D-VoiS Broadband Ltd,a city-based firm.^[24] However, it seems the State Government plans to pull the plug on the project, funds, lack of awareness and difficulty in access as key constraints.^[25] Tata Docomo has inked an agreement with GMR Airports to offer Wi-Fi services at several International Airports in the country, including the Bangalore International Airport. It offers access to access free Wi-Fi service for 45 minutes, following which they users are required to pay for the service online, to continue using the Wi-Fi service.^[26]

Delhi has also introduced free Wi-Fi at its premier shopping hubs of Connaught Place and Khan Market in the year 2014, and BSNL launched a free WiFi service at Karnataka’s Malpe beach in the year 2016 making it the first WiFi beach in the three coastal districts of the state.^[27] The State Governments of Mumbai, Kolkata, Patna and Ahmedabad also offer free Wi-Fi services in limited areas.^[28] As part of the flagship programme by Indian Government, Digital India, the Government announced the rollout of Wi-Fi services by June 2015 at select public places in 25 Indian cities with population of over 10 lakh and tourist destinations by December 2015.^[29] Also, the Government has plans to digitise India by rolling out free Wi-Fi in 2500 towns and cities over a span of 3 years.^[30] Google plans to deploy WiFi at 100 railway stations in partnership with Railtel. Under this scheme, Mumbai Central was the first station to get free Wi-Fi in the year 2016.^[31] Also, Google's Project Loon aims to provide internet connectivity in remote and rural areas in India, which is currently being tested in other countries.^[32].

4. Indian Policy and Legal Conundrum

In light of national security concerns around the misuse of public Wi-Fi, the Department of Telecommunication, GoI, published a regulation^[33] dated February 2009, defining procedures for the establishment and use of public Wi-Fi to prevent misuse of public Wi-Fi and to be able to track the perpetrator in case of abuse. Indeed, the DOT has stated that “Insecure Wi-Fi networks are capable of being misused without any trail of user at later date”.^[34]

As per the 2009 Regulations, DoT has instructed ISPs to enforce centralized authentication using Login ID and Password for each user to ensure that the identity of the user can be traced.^[35] Regarding Wi-Fi services provided at public places, the Regulations state that bulk login IDs shall be created for controlled distribution, with authentication done at a centralized server. The subscribers are required to use public Wi-Fi by registering with temporary user ID and password, in the following methods:

• Obtaining copy of photo identity of the subscriber, to be maintained by Licensee for one year; or
• Providing details of user ID and password via SMS on subscriber's mobile phone , to be used as his/her identity by keeping the mobile number for one year.

Additionally, the data protection regime in India is governed by section 43A of the Information Technology Act, 2000 and the Rules^[36] notified under it. It obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain reasonable security practices, failing which they would be held liable to compensate those affected by any negligence attributable to this failure. The said Rules also define requirements and safeguards that every Body Corporate is legally required to incorporate into the company's privacy policy. The Rules put restrictions on body corporates on collecting sensitive personal information, and also states that it must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information, along with limiting disclosure of such information.^[37] Most of the ISPs in India being a private company, like D-VoiS and Tata Docomo, are obliged to comply with these provisions. Also, under the model License Agreement for Unified License^[38] by Ministry of Communication & IT, Department of Telecommunications, Government of India, where the Unified Access License Framework allows for a single license for multiple services such as telecom, the internet and television and provides certain security guidelines, privacy of communications is to be maintained by the Licensee (the ISPs in this case) and network security practices and audits are mandated along with penalties for contravention in addition to what is prescribed under the Information Technology Act,2000. It also provides for  ensuring unauthorized interception of messages does not take place. Therefore, the ISPs providing public Wi-Fi services in various cities across India would be governed by the data protection regime and could be held liable under these provisions in case of non-compliance with  the security measures so stated.

In July 2016, the Telecom Regulatory Authority of India (hereinafter referred as “TRAI”) floated a Consultation paper on Proliferation of Broadband through Public Wi-Fi Networks^[39] with an objective to examine the need of encouraging public Wi-Fi networks in the country from a public policy point of view and discuss the issues as well as solutions in its proliferation.  The paper recognises the fact that India is still in a green field deployment phase in terms of adoption of public Wi-Fi services and requires solutions for resolving the challenges and risks  being faced in the process and lay a strong foundation to evolve towards a meaningful position in the advancement of initiatives related to Internet of Things, Smart Cities, etc.^[40] This is an important step towards fulfilment of the Digital India scheme of the Indian Government to ensure better connectivity. In the paper, TRAI has advocated development of a payment platform which allows easy access to Wi-Fi services across internet service providers (ISPs) and through any payment instrument.^[41] Besides that, the paper raises issues of various regulatory, licensing or policy measures required to encourage ubiquitous city-wide Wi-Fi networks as well as expansion of Wi-Fi networks in remote or rural areas, along with the issue of encouraging interoperability between the Wi-Fi networks of different service providers, both within the country and internationally, as well as between cellular and Wi-Fi networks.^[42]

5. Public Wi-Fi and Privacy Concerns

Since proliferation of public Wi-Fi in India is happening at a moderate pace, the paper discusses key issues towards this, one of them being the logistics of deploying this service. This section briefly states and acknowledges privacy and security concerns as an important factor that may be posing issues in the adoption of public Wi-Fi services in the country. Since there have been numerous cases of security vulnerabilities in public Wi-Fi networks worldwide, security of networks and cyber crimes is a key issue for consideration.^[43]

Deployment of public wireless access points has made it more convenient for people to access the Internet outside of their offices or homes. Despite advantages like ease of accessibility, connectivity and convenience, public Wi-Fi connection pose serious concerns as well. “The proliferation of public Wi-Fi is one of the biggest threats to consumer data”,  says David Kennedy, founder of TrustedSec, a specialised information security consulting company based in the United States of America.^[44] Also, the networks become an easier target with little public awareness about the existence of such threats wherein users expose valuable personal data over Wi-Fi hotspots. The recently released Norton Cyber Security Report 2016^[45] shows how the benefit of constant connectivity is often outweighed by consumer complacency, leaving consumers and their Wi-Fi networks at risk. For the purpose of this report, Norton surveyed 20,000 people (over a 1,000 from India ) which reflects that though users in India may be increasingly becoming aware of the cyber threats they face due to use of public Wi-Fi,  they don’t fully understand the accompanying risks and their online behaviour is often contradictory.^[46] Also, it is important to consider that the services which claim to be free, actually generate revenue by advertisements, where the model works by providing free access to internet in exchange for user's’ personal and behavioral data, which is subsequently used to target ads to them.^[47]

Some of the privacy harms stemming from use of public Wi-Fi are listed below.

5.1. Data Theft

With hackers finding it easy to access personal information of the data subjects, data can be  hijacked by unauthorized internet access by spoofing the MAC and IP addresses of the authenticated user’s device or by use of default settings (saved passwords or IPs).^[48] The following kinds of data is at a risk of being stolen and further misused:

• demographic and locational data^[49]
• forms of personal information acting as identifiers like financial information, social and personal information^[50]
• private information like passwords to social networking sites, email accounts and banking websites^[51]
• historical data from the devices^[52]

5.2. Tracking an Individual

Like cell phones, Wi-Fi devices have unique identifiers that can be used for tracking purposes which can cause potential security issues. Tracking by using a Wi-Fi hotspot can also lead to third party harms like stalking.^[53] To receive or use a service, often websites require the user to share their personal information such as name, age, ZIP code, or personal preferences, which is many times shared with advertisers and other third parties, without the knowledge or consent of the users.^[54]

5.3. Makes the Electronic Devices Prone to Hacking and Setting up Fake Networks

A recent experiment conducted by the chief scientist at mobile security firm Appknox at the Bengaluru International Airport, India, found that the wireless devices could be easily hacked over the airport’s free Wi-Fi network due to the easily exploitable security holes in  the software made by Apple, Google, and Microsoft.^[55] A similar experiment was backed by the European law enforcement agency, Europol, where a mobile hotspot was  created in central London^[56] and the hacker was able to gain access to  passwords, apps, and even credit card and banking information with ease.^[57] Lack of secure softwares and prevalence of open, unprotected Wi-Fi has made it fairly easy for hackers to set up fake twin access points that give them access to data histories and personal information.^[58] This makes is easy to track data histories of users. Even if certain softwares use encryption codes, a simple decryption software can be used to obtain the information.^[59]

5.4. Illegal Use of Data

• By authorities: the authorities have easier access to people’s browsing details and habits, and with justification in the name of national security, could be used to monitor the people without their consent.^[60]


• Wi-Fi provider: can sell the user’s demographic and location information. ^[61] Also, it was revealed in a study that the personal information of users is often transmitted by service providers without encryption. Anyone along the path between the user and the service’s data center can then intercept this information, opening users to grave privacy and security risks.^[62]


• By hackers: steal information and hack into unsuspecting victim’s bank accounts and misuse corporate financial information and secrets^[63]

6. Ranking Digital Rights Project

The "Ranking Digital Rights" project, an ongoing international non-profit research initiative,  aims to promote greater respect for freedom of expression and privacy by focusing on the policies and practices of companies in the information communications technology (ICT) sector^[64], rank such companies in this light, and undertake research to develop the ranking methodology.^[65]

In November 2015, the Ranking Digital Rights project launched the Corporate Accountability Index. Since several actors like the Internet and telecommunications companies, software producers, and device and networking equipment manufacturers exert growing influence over the political and civil lives of people all over the world, it is important to state that these organisations  share a responsibility to respect human rights. For this purpose, 16 Internet and telecommunications companies were evaluated according to 31 indicators, which focused on corporate disclosure of policies and practices that affect users’ freedom of expression and privacy.^[66]

The data produced by the index can help companies improve their policies, practices and help them identify challenges faced by companies in meeting their corporate obligations to respect human rights like Freedom of Expression and Privacy in the digital space.^[67] Some of the key corporate practices which affect these rights are :

• How companies handle government requests to hand over user data or restrict content;
• How companies enforce their own terms of service;
• What information companies collect about users and how long they retain it; and
• To whom they share or sell user information.^[68]

The 2015 Corporate Accountability Index assesses transparency levels of the World’s most powerful Internet and telecommunications companies regarding their commitments, policies and practices that affect users’ freedom of expression and privacy and evaluates what companies share about these practices and offers recommendations for improvement. The methodology adopted relies on publicly available information so that advocates, researchers, journalists, policy makers, investors, and users can understand the extent to which different companies respect freedom of expression and privacy, and make appropriate policy, investment, and advocacy decisions. Also, public disclosures would enable researchers and journalists to investigate and verify the accuracy of company statements.^[69]

For the purpose of this research, we would apply this index and the indicators to the internet service provider of public Wi-Fi in Bangalore-D-VoiS Ltd. and Tata Docomo to understand how  comprehensive their privacy policies are when compared to global standards and make informed recommendations. Analysing policies against the index can help these companies identify best practices, as well as the obstacles they face in meeting their corporate obligations to respect human rights in the very digital spheres they helped to create.^[70] The information has been gathered and analysed on the basis of publicly available information, and this can help companies empower users to make informed decisions about how they use technology, which would help build trust between users and companies in the long run.^[71]

6.1. D-VoIS^[72], Bangalore

For the purpose of this case study, the Privacy Policies of D-VoIS have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 1.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

• The Company has a freely available and understandable Privacy Policy and Terms of Use, though only in the English language.


• The company does not commit to notify users in case of changes in the privacy policy of the company.


• The company states circumstances in which it would restrict use of its services, along with reasons for content restriction.


• The Company commits to the principle of data minimization, discloses circumstances when it shares information with third parties, and provides users with options to control the company’s collection and sharing of their information


• Deploys industry standards for security of products and services.

Analysis

• Commitment: D-VoIS fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. The Company lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lacks stakeholder engagement and a grievance mechanism.


• Freedom of Expression: The Company also fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.
  
  Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal^[73], but it does not prevent the company from publishing more information about private requests for content restriction. D-VoIS does not provide any information with respect to this.


• Privacy: D-VoIS is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. Also, D-VoIS does not  disclose what user information is collected, how and why, nor does it offer users meaningful access to their information. D-VoIS does not disclose any information regarding retention of user information, and the company could improve its disclosures about what user information it collects and how long it is retained.
  
  Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

6.2. Tata Docomo^[74], Bangalore

The Privacy Policy and Terms & Conditions of Tata Docomo have been analysed on the basis of the Corporate Accountability index, and the answers can be accessed in Annex 2.

Summary

On the basis of the indicators and the information available, it can be ascertained that:

• The Company has a freely available and understandable Data Privacy Policy and Terms of Use, though only in English language.


• The Company has established electronic and administrative safeguards designed to secure the information collected to prevent unauthorized access to or disclosure of that information and to ensure it is used appropriately.


• The company states circumstances in which it would restrict use of its services, along with reasons for content restriction. The company’s disclosed policies and practices demonstrate how it works to avoid contributing to actions that may interfere with the  right to freedom of expression, except where such actions are lawful, proportionate and for a justifiable purpose.


• The Company clearly states the kind of information collected, ways of collection and the reasons for collection as well as sharing.


• Deploys industry standards for security of products and services

Analysis

• Commitment: Tata Docomo fares low on Commitment since it has made no overarching public commitments to protect users’ freedom of expression or privacy in a manner that meets the Index’s criteria. Though the Company has established electronic and administrative safeguards designed to secure the information collected, it lacks adequate top-level policy commitments to users’ freedom of expression and privacy, establishing executive and management oversight over these issues, creating a process for human rights impact assessment, and lack of stakeholder engagement.


• Freedom of Expression: The Company fares low on Freedom of Expression as the terms of services, though easily available, are only in English language. Also, it does not commit to notify users about changes to the terms of service. While the company discloses what content and activities it prohibits , it provides no information about how the company notifies these restrictions to the users.
  
  Regarding transparency about content restriction requests, since the Indian law prevents the company from disclosing government requests for content removal, it does not prevent the company from publishing more information about private requests for content restriction. Tata Docomo does not provide any information with respect to that.


• Privacy: Tata Docomo is required by law to have a privacy policy available on its website, this policy is available in English, but not in other languages spoken in India. No information is publically available regarding users option to control company's collection of information. Tata Docomo discloses that user information shall be retained as long as required and does not mention a specific duration for the same. Though the company discloses information about its security practices, it does not disclose any information regarding its efforts to educate users about security threats. It also does not disclose information regarding requests by non-governmental entities for user data.

7. Compliance of Privacy Policies with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Privacy Policy and Terms & Conditions of D-VoIS and Tata Docomo have been analysed on the basis of the security measures and procedures stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 to ascertain how sound and compliant the framework is with the existing data protection regime in India. The comparison can be accessed in Annex 3.

Comparing the requirements listed under the Rules with the policies of both the companies, it can be said that though the websites of both companies provide privacy policies and are easily accessible, they lack crucial information regarding consent of the user before collection as well as sharing of information. Also, though the policies state the purpose of sharing such data with third parties, it does not state the purpose of collection of the information. The policies are also silent regarding the requirements to be complied with before transferring personal data into another jurisdiction . There is also no information about the companies having a grievance officer. Additionally, though the terms of services of D-VoIS state that the customer may choose to restrict the collection or use of their personal information, both companies do not specifically provide for an opt out mechanism to its users.

8. Conclusion and Recommendations

To allay the numerous concerns regarding privacy and security with respect to public Wi-Fi’s, the ISPs must have a sound Privacy Policy in place. For this purpose, adherence to the indicators as listed under the Corporate Accountability Index, along with requirements for security of personal information stated under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and improving the policies accordingly shall greatly contribute to protection of Freedom of Expression and ensure Privacy of user information. Ensuring compliance with the existing data protection regime in the country becomes more important in light of the growing privacy and security concerns due to proliferation of free and public Wi-Fi service in India. Adequate measures like acquiring consent for collection and sharing of user data, commitment by company executives to ensure protection of rights of individuals, adoption of security standards, creating awareness about security concerns, etc. by such corporate must be considered to ensure protection of personal information and reduce the likelihood of a data breach. Both D-VoIS and Tata Docomo must consider the following recommendations in order to meet the criteria set by the Ranking Digital Rights project, ensuring commitment towards protection of right to freedom of expression and privacy of the users.

8.1. Commitment

• Set in place an oversight mechanism to monitor how the company’s policies and practices affect freedom of expression and privacy. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.
• Also, they must conduct regular, comprehensive, and credible due diligence, such as human rights impact assessments, to identify how all aspects of their business impact freedom of expression and privacy.
• In addition to that, they must Provide for a remedy or grievance mechanism. The Telecom Regulatory Authority of India also requires that all service providers have redress mechanisms. In case the Company already has that in place, information regarding the same must be made publically available for greater transparency.

8.2. Freedom of Expression

• The Companies must make an effort to make the Terms of Service available in the most commonly spoken languages by its users, besides English.
• Also, it is recommended that the Companies must ensure to provide meaningful notice to users regarding change in terms of service.
• Besides disclosing what content and activities the companies prohibit, they must disclose information regarding how it enforces these prohibitions and should provide examples regarding the circumstances under which it may suspend service to individuals or areas to help users understand such policies.
• The Companies must also disclose information regarding the process for evaluating and responding to requests from third parties to restrict content or service. Additionally, it must disclose how long it retains user information, publish process for evaluating and responding to requests from government and other third parties for stored user data and/or real-time communications.

8.3. Privacy

• Though both the Companies disclose that the user information shall be shared with third parties, and Tata Docomo discloses what information is collected and how, yet there should be no legal impediment for the companies to improve its disclosures about what user information it collects, with whom it is shared, and how long it is retained to protect the privacy of the users.
• Though Tata Docomo allows the users to review and correct their Personal Information collected by the Company, D-VoIS must release information regarding whether the users are able to view, download or otherwise obtain all of the information about them that the company holds. In case it does not allow, the Company must duly change its policy regarding the same.
• The Companies must also publish information to help users defend against cyber threats.

^[1] The Financial Express, ‘Free wi-fi: Digital Dilemma’, February 22, 2015,

http://www.financialexpress.com/article/economy/free-Wi-Fi-digital-dilemma/45804/

^[2] Tata Docomo, http://www.tatadocomo.com/

^[3] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[4] Ranking Digital Rights, https://rankingdigitalrights.org/

^[5] the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Available at : http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf

^[6] See : http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/, http://www.aljazeera.com/indepth/features/2016/03/india-unlocking-public-wi-fi-hotspots-160308072320835.html , http://www.business-standard.com/article/technology/indians-most-willing-to-share-personal-data-over-public-wifi-116083000673_1.html and http://articles.economictimes.indiatimes.com/2015-05-20/news/62413108_1_corporate-espionage-hotspots-bengaluru-airport

^[7] Scroll, ‘Free wifi in Delhi is good news but here is the catch’, November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[8] LinkNYC,  https://www.link.nyc/

^[9] See : http://www.nyclu.org/files/releases/city%20wifi%20letter.pdf

^[10] The Huffingtonpost, ‘Maybe You Shouldn't Use Public Wi-Fi In New York City’, March 16, 2016, http://www.huffingtonpost.in/entry/public-wifi-nyc_us_56e96b1ce4b0b25c9183f74a

^[11] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[12] NYCLU, ‘City’s Public Wi-Fi Raises Privacy Concerns’, March 16, 2016,

http://www.nyclu.org/news/citys-public-wi-fi-raises-privacy-concerns

^[13]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[14]Information Commissioner’s Office Blog, ‘Be wary of public Wi-Fi’September 25, 2015, https://iconewsblog.wordpress.com/2015/09/25/be-wary-of-public-Wi-Fi/

^[15]Marketing Law, ‘The ICO sounds a warning on public wi-fi and privacy’, November 24, 2015,

http://marketinglaw.osborneclarke.com/data-and-privacy/the-ico-sounds-a-warning-on-public-Wi-Fi-and-privacy/

^[16]Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006  http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32006L0024

^[17] Feiler, L., "The Legality of the Data Retention Directive in Light of the Fundamental Rights to Privacy and Data Protection", European Journal of Law and Technology, Vol. 1, Issue 3, 2010, http://ejlt.org/article/view/29/75

^[18] The Data Retention (EC Directive) Regulations 2009 http://www.legislation.gov.uk/ukdsi/2009/9780111473894/pdfs/ukdsi_9780111473894_en.pdf

^[19] Purple, ‘Update on the legal implications of offering public WiFi in the UK’, September 10, 2014, http://purple.ai/update-legal-implications-offering-public-wifi-uk/

^[20] Data Protection Act 1998, http://www.legislation.gov.uk/ukpga/1998/29/contents

^[21] Wireless Social, http://www.wireless-social.com/how-it-works/legal-compliance/

^[22] Data Protection Act 1998, https://www.gov.uk/data-protection/the-data-protection-act

^[23]The Hindu, ‘Free wifi on M.G. Road and Brigade Road from Friday’, January 23, 2014, http://www.thehindu.com/news/cities/bangalore/free-wifi-on-mg-road-and-brigade-road-from-friday/article5606757.ece

^[24]The Telegraph, ‘Free Wi-fi on tech city streets- Bangalore offers five public hotspots’, January 25, 2014, http://www.telegraphindia.com/1140125/jsp/nation/story_17863705.jsp#.VwIv_Zx97IU

^[25]Economic Times, ‘Karnataka Govt pulls the plug on public Wi-Fi spots in Bengaluru’, March 15, 2016, http://tech.economictimes.indiatimes.com/news/internet/karnataka-govt-pulls-the-plug-on-public-Wi-Fi-spots-in-bengaluru/51404414

^[26] Medianama, ‘Why Don’t Indian Airports Offer Free WiFi To Passengers?’, May 22, 2013, http://www.medianama.com/2013/05/223-indian-airports-free-wifi/

^[27]Hindustan Times, ‘BSNL launches free public WiFi at Karnataka’s Malpe beach’, January 25, 2016, http://www.hindustantimes.com/tech/bsnl-launches-free-public-wifi-on-karnataka-s-malpe-beach/story-XVM06KQKIcoyqV8CLJoYzJ.html

^[28]TechTree, ‘Problems With Free City-Wide Wi-Fi Hotspots In India’, September 28, 2015,

http://www.techtree.com/content/features/9914/problems-free-city-wide-Wi-Fi-hotspots-india.html#sthash.2ZSf9kq7.dpuf

^[29]India Today, ‘25 Indian cities to get free public Wi-Fi by June 2015’, December 17, 2014, http://indiatoday.intoday.in/technology/story/25-indian-cities-to-get-free-public-Wi-Fi-by-june-2015/1/407214.html

^[30]Business Insider, ‘Modi Government To Roll Out Free Wi-Fi In 2,500 Towns And Cities To Make India Digital’, January 23, 2015, http://www.businessinsider.in/Modi-Government-To-Roll-Out-Free-Wi-Fi-In-2500-Towns-And-Cities-To-Make-India-Digital/articleshow/45989339.cms

^[31]RailTel launches free high-speed public Wi-Fi service with Google at Mumbai Central, http://www.railtelindia.com/images/Mumbai.pdf

^[32]Economic Times, ‘Google may get government nod to conduct pilot for Project Loon in India’, May 24, 2016,

http://economictimes.indiatimes.com/tech/internet/google-may-get-government-nod-to-conduct-pilot-for-project-loon-in-india/articleshow/52408455.cms

^[33]Department of Telecommunications, Ministry of Communications & IT, Government of India, February 23, 2009, http://www.dot.gov.in/sites/default/files/Wi-%20fi%20Direction%20to%20UASL-CMTS-BASIC%2023%20Feb%2009.pdf

^[34] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[35]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’,  http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[36] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

^[37]The Centre for Internet & Society, ‘Privacy and the Information Technology Act — Do we have the Safeguards for Electronic Privacy?’, April 7, 2011, http://cis-india.org/internet-governance/blog/privacy/safeguards-for-electronic-privacy

^[38]License Agreement for Unified License,  http://www.dot.gov.in/sites/default/files/Unified%20Licence.pdf

^[39] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[40] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[41] The Economic Times, ‘Trai floats consultation paper to boost broadband through Wi-Fi in public places’, July 14, 2016, http://economictimes.indiatimes.com/articleshow/53195586.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^[42] Telecom Regulatory Authority of India, ‘Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks’ July 13, 2016, https://www.mygov.in/sites/default/files/mygov_1468492162190667.pdf

^[43]Mint, ‘Trai issues paper on public Wi-Fi networks’ July 14, 2016, http://www.livemint.com/Industry/1jVgso2R2Lz4NR5IYFaCtN/Trai-issues-paper-on-public-WiFi-networks.html

^[44]Forbes,’How To Avoid Data Theft When Using Public Wi-Fi’, March 4, 2014, http://www.forbes.com/sites/amadoudiallo/2014/03/04/hackers-love-public-wi-fi-but-you-can-make-it-safe/#373c75e32476

^[45]Symantec, ‘Norton Cyber Security Insights Report’, 2016, https://www.symantec.com/content/dam/symantec/docs/reports/2016-norton-cyber-security-insights-report.pdf

^[46]The Indian Express, ‘Indian cybercrime victims don’t learn from past experience: Norton Report’, November 18, 2016, http://indianexpress.com/article/technology/tech-news-technology/indian-users-complacent-when-it-comes-to-cyber-security-norton-report/

^[47]Mashable, ‘This is the real price you pay for 'free' public Wi-Fi’, January 26, 2016, http://mashable.com/2016/01/25/actual-cost-free-Wi-Fi/?utm_cid=mash-com-Tw-main-link#WmAJGJ_COiq5

^[48]MojoNetworks, ‘Complying with DoT Regulation on Secure Use of WiFi: Less in Letter, More in Spirit’,  http://www.mojonetworks.com/fileadmin/pdf/Implementing_DoT_Regulation_on_WiFi_Security.pdf

^[49]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[50]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[51]The Indian Express, ‘Public Wifi can be used to steal private information: IT Security Expert’, May 19, 2015, http://indianexpress.com/article/technology/technology-others/public-wifi-can-be-used-to-steal-private-information-it-security-expert/#sthash.xiuWtL6v.dpuf

^[52]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[53]Network Computing, ‘Public WiFi, Location Data & Privacy Anxiety’, July 4, 2015, http://www.networkcomputing.com/wireless/public-wifi-location-data-privacy-anxiety/1496375374

^[54]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[55]Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[56]The Guardian, ‘Londoners give up eldest children in public Wi-Fi security horror show’, September 29, 2014,  https://www.theguardian.com/technology/2014/sep/29/londoners-Wi-Fi-security-herod-clause

^[57] Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[58]ABC13, ‘Hackers set up fake Wi-Fi hotspots to steal your information, July 10, 2015, http://abc13.com/technology/hackers-set-up-fake-Wi-Fi-hotspots-to-steal-your-information/835223/

^[59]Medium, ‘Maybe Better If You Don’t Read This Story on Public WiFi’, October 14, 2014, https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.3061h6lsv

^[60] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[61] Scroll, ‘Free wifi in Delhi is good news but here is the catch’ November 21, 2014, http://scroll.in/article/690755/free-wifi-in-delhi-is-good-news-but-here-is-the-catch

^[62]University of Washington, Computer Science and Engineering, ‘When I am on Wi-Fi, I am Fearless:” Privacy Concerns & Practices in Everyday Wi-Fi Use’, https://djw.cs.washington.edu/papers/wifi-CHI09.pdf

^[63] Breitbart, ‘Fre Public Wi-Fi poses security risks’, May 19, 2015, http://www.breitbart.com/big-government/2015/05/19/free-public-wifi-poses-security-risk/

^[64] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[65] Business & Human Rights Resource Centre, ‘Ranking Digital Rights Project’, http://business-humanrights.org/en/documents/ranking-digital-rights-project

^[66] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[67] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[68] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[69] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[70] Ranking Digital Rights, https://rankingdigitalrights.org/about/

^[71] Ranking Digital Rights, https://rankingdigitalrights.org/who/frequently-asked-questions/

^[72] D-VoIS Communication Pvt. Ltd. http://www.dvois.com/

^[73]Section 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 states that all request and complaints must be kept confidential.

^[74] Tata Docomo, http://www.tatadocomo.com/

Download the Paper (PDF)

Introduction

The writ of habeas data was a distinct response to these recent histories which provided individuals with basic rights to access personal information collected by the state (and sometimes byprivate agencies of a public nature) and to challenge and correct such data, requiring the state to safeguard the privacy and accuracy of people's personal data.[1]

The origins of Habeas Data are traced back, unsurprisingly, to the European legal regime since Europe is considered as the fountainhead of modern data protection laws. The inspiration for Habeas Data is often considered to be the Council of Europe's 108th Convention on Data Protection of 1981.[2] The purpose of the Convention was to secure the privacy of individuals regarding the automated processing of personal data. For this purpose, individuals were granted several rights including a right to access their personal data held in an automated database.[3]

Another source or inspiration behind Habeas Data is considered to be the German legal system where a constitutional right to information self-determination was created by the German Constitutional Tribunal by interpretation of the existing rights of human dignity and personality. This is a right to know what type of data is stored on manual and automatic databases about an individual, and it implies that there must be transparency on the gathering and processing of such data.[4]

Habeas Data is essentially a right or mechanism for an individual complaint presented to a constitutional court, to protect the image, privacy, honour, information self-determination and freedom of information of a person. [5]

A Habeas Data complaint can be filed by any citizen against any register to find out what information is held about his or her person. That person can request the rectification, update or even the destruction of the personal data held, it does not matter most of the times if the register is private or public.[6]

Habeas Data in different jurisdictions

Habeas Data does not have any one specific definition and has different characteristics in different jurisdictions. Therefore, in order to better understand the right, it will be useful to describe the scope of Habeas Data as it has been incorporated in certain jurisdictions in order to better understand what the right entails:[7]

Brazil

The Constitution of Brazil grants its citizens the right to get a habeas data “a. to assure knowledge of personal information about the petitioner contained in records or data banks of government agencies or entities of a public character; b. to correct data whenever the petitioner prefers not to do so through confidential judicial or administrative proceedings;[8]

The place or tribunal where the Habeas Data action is to be filed changes depending on who is it presented against, which creates a complicated system of venues. Both the Brazilian constitution and the 1997 law stipulate that the court will be:

• The Superior Federal Tribunal for actions against the President, both chambers of Congress and itself;
• The Superior Justice Tribunal for actions against Ministers or itself;
• The regional federal judges for actions against federal authorities;
• State tribunals according to each state law;
• State judges for all other cases.[9]

Paraguay
The Constitution of Paraguay grants a similar right of habeas data in its constitution which states:

"All persons may access the information and the data that about themselves, or about their assets, [that] is [obren] in official or private registries of a public character, as well as to know the use made of the same and of their end. [All persons] may request before the competent magistrate the updating, the rectification or the destruction of these, if they were wrong or illegitimately affected their rights."[10]

Compared to the right granted in Brazil, the text of the Paraguay Constitution specifically recognises that the citizen also has the right to know the use his/her data is being put to.

Argentina

Article 43 of the Constitution of Argentina grants the right of habeas data, though it has been included under the action of “amparo”,[11] the relevant portion of Article 43 states as follows:

"Any person may file an amparo action to find out and to learn the purpose of data about him which is on record in public registries or data banks, or in any private [registers or data banks] whose purpose is to provide information, and in case of falsity or discrimination, to demand the suppression, rectification, confidentiality, or updating of the same. The secrecy of journalistic information sources shall not be affected."[12]

The version of Habeas Data recognised in Argentina includes most of the protections seen in Brazil and Paraguay, such as the right to access the data, rectify it, update it or destroy it, etc. Nevertheless, the Argentinean constitution also includes certain other features such as the fact that it incorporates the Peruvian idea of confidentiality of data, being interpreted as the prohibition to broadcast or transmit incorrect or false information. Another feature of the Argentinean law is that it specifically excludes the press from the action, which may be considered as reasonable or unreasonable depending upon the context and country in which it is applied.[13]

Venezuela
Article 28 of the Constitution of Venezuela established the writ of habeas data, which expressly permits access to information stored in official and private registries. It states as follows:

"All individuals have a right to access information and data about themselves and about their property stored in official as well as private registries. Secondly, they are entitled to know the purpose of and the policy behind these registries. Thirdly, they have a right to request, before a competent tribunal, the updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements. The law shall establish exceptions to these principles. By the same token, any person shall have access to information that is of interest to communities and groups. The secrecy of the sources of newspapers-and of other entities or individuals as defined by law-shall be preserved."[14]

The Venezuelan writ of habeas data expressly provides that individuals "are entitled to know the purpose of and the policy behind these registries." Also, it expresses a right to "updating, rectification, or destruction of any database that is inaccurate or that undermines their entitlements." Article 28 also declares that the “secrecy of the sources of newspapers and of other entities or individuals as defined by law-shall be preserved."[15]

Philippines

It is not as if the remedy of Habeas Data is available only in Latin American jurisdictions, but even in Asia the writ of Habeas Data has been specifically granted by the Supreme Court of the Philippines vide its resolution dated January 22, 2008 which provides that “The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence of the aggrieved party.” According to the Rule on Writ of Habeas Data, the petition is to be filed with the Regional Trial Court where the petitioner or respondent resides, or which has jurisdiction over the place where the data or information is gathered, collected or stored, at the option of the petitioner. The petition may also be filed with the Supreme Court or the Court of Appeals or the Sandiganbayan when the action concerns public data files of government offices.[16]

Two major distinctions are immediately visible between the Philippine right and that in the latin jurisdictions discussed above. One is the fact that in countries such as Bazil, Argentina and Paraguay, there does not appear to be a prerequisite to filing such an action asking for the information, whereas in Philippines it seems that such a petition can only be filed only if an individual’s “right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission”. This means that the Philippine concept of habeas data is much more limited in its scope and is available to the citizens only under certain specific conditions. On the other hand the scope of the Philippine right of Habeas Data is much wider in its applicability in the sense that this right is available even against private individual and entities who are “engaged in the gathering, collecting or storing of data or information regarding the person, family, home and correspondence”. In the Latin American jurisdictions discussed above, this writ appears to be available only against either public institutions or private institutions having some public character.

Main features of Habeas Data

Thus from the discussion above, the main features of the writ of habeas data, as it is applied in various jurisdictions can be culled out as follows: [17]

• It is a right to the individual or citizen to ask for his/her information contained with any data registry;
• It is available only against public (government) entities or employees; or private entities having a public character;[18]
• Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
• It is a remedy that is usually available by approaching any single judicial forum.

Since the writ of Habeas Data has been established and evolved primarily in Latin American countries, there is not too much literature on it available freely in the English language and that is a serious hurdle in researching this area. For example, this author did not find many article mentioning the scope of the writ of habeas data, for example whether it is an absolute right and on what grounds can it be denied. The Constitution of Venezuela, for example, specifies that the law shall establish exceptions to these principles and infact mentions the secrecy of sources for newspapers as an exception to this rule.[19]

Similarly in Argentina, there exists a public interest exception to the issuance of the writ of Habeas Data.[20]

That said, although little literature on the specific exceptions to habeas data is freely available in English, references can still be found to exceptions such as state security (Brazil), secrecy of newspaper sources (Argentina and Venezuela), or other entities defined by law (Venezuela).[21]

This suggests that the, as would be expected, the right to ask for the writ of habeas data is not an absolute right but would also be subject to certain exceptions and balanced against other needs such as state security and police investigations.

Habeas Data in the context of Privacy

Data protection legislation and mechanisms protect people against misuse of personal information by data controllers. Habeas Data, being a figure for use only by certain countries, gives the individuals the right to access, correct, and object to the processing of their information.

In general, privacy is the genus and data protection is the species, data protection is a right to personal privacy that people have against the possible use of their personal data by data controllers in an unauthorized manner or against the requirements of force. Habeas Data is an action that is brought before the courts to allow the protection of the individual’s image, privacy, honour, self-determination of information and freedom of information of a person. In that sense, the right of Habeas Data can be found within the broader ambit of data protection. It does not require data processors to ensure the protection of personal data processed but is a legal action requiring the person aggrieved, after filing a complaint with the courts of justice, the access and/or rectification to any personal data which may jeopardize their right to privacy.[22]

Habeas Data in the Indian Context

Although a number of judgments of the Apex Court in India have recognised the existence of a right to privacy by interpreting the fundamental rights to life and free movement in the Constitution of India,[23]

the writ of habeas data has no legal recognition under Indian law. However, as is evident from the discussion above, a writ of habeas data is very useful in protecting the right to privacy of individuals and it would be a very useful tool to have in the hands of the citizens. The fact that India has a fairly robust right to information legislation means that atleast some facets of the right of habeas data are available under Indian law. We shall now examine the Indian Right to Information Act, 2005 (RTI Act) to see what facets of habeas data are already available under this Act and what aspects are left wanting. As mentioned above, the writ of habeas data has the following main features:

• It is a right to the individual or citizen to ask for his/her information contained with any data registry;
• It is available only against public (government) entities or employees; or private entities having a public character;[24]
• Usually it also gives the individuals the right to correct any wrong information contained in the data registry;
• It is a remedy that is usually available by approaching any single judicial forum.

We shall now take each of these features and analyse whether the RTI Act provides any similar rights and how they differ from each other.

Right to seek his/her information contained with a data registry

Habeas data enables the individual to seek his or her information contained in any data registry. The RTI Act allows citizens to seek “information” which is under the control of or held by any public authority. The term information has been defined under the RTI Act to mean “any material in any form, including records, documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, data material held in any electronic form and information relating to any private body which can be accessed by a public authority under any other law for the time being in force”.[25]

Further, the term “record” has been defined to include “(a) any document, manuscript and file; (b) any microfilm, microfiche and facsimile copy of a document; (c) any reproduction of image or images embodied in such microfilm (whether enlarged or not); and (d) any other material produced by a computer or any other device”. It is quite apparent that the meaning given to the term information is quite wide and can include various types of information within its fold. The term “information” as defined in the RTI Act has been further elaborated by the Supreme Court in the case of Central Board of Secondary Education v. Aditya Bandopadhyay,[26]

where the Court has held that a person’s evaluated answer sheet for the board exams held by the CBSE would come under the ambit of “information” and should be accessible to the person under the RTI Act.[27]

An illustrative list of items that have been considered to be “information” under the RTI Act would be helpful in further understanding the concept: