Internet Governance Main

Speaking on the status of 5g in India at a virtual summit, Niti Aayog CEO Amitabh Kant noted the country is set to go all out in its adoption, but that there exist security concerns with the technology. He also pointed out that India is yet to make a decision on the participation of Chinese telecom companies in its 5g infrastructure. In many ways, this has been the story of 5g adoption globally. Governments see the potential of 5g to usher in a new era of prosperity and development but are wary of the risks it poses. Central to these risks is the fear of espionage conducted by Chinese corporations like Huawei and ZTE that are the major suppliers of the components required for 5g networks. These concerns have resulted in a multitude of sanctions being levied against Chinese telecom corporations by Western nations. Whether that be through the United States citing cybersecurity concerns while issuing an executive order effectively banning Chinese companies Huawei and ZTE  from participating in their 5g telecom network. Or UK Prime Minister Boris Johnson laying out a 2027 deadline for removal of all Huawei equipment from UK networks.

Closer to home, 2020 has already seen a severe deterioration in Sino-Indian relations following cross border firing at the Glawan valley. The Indian government has deployed a number of cyber related sanctions against China in retaliation for the military clashes between the States - such as the banning of a number of Chinese apps, including TikTok. Despite these sanctions being levied against China, one area where no action has yet been taken is Chinese companies’ participation in India’s 5g infrastructure. As of writing, Chinese telecom companies are still permitted to undertake testing of 5g within India. However in light of the strained relationship between the two countries, as well as the security concerns now identified by other States, a scenario where Chinese companies are banned from India’s telecom networks in the future is plausible - if not highly likely.

The possibility of such a scenario raises a number of questions. How would such a ban on Chinese participation in 5g affect India domestically? Would banning Chinese telecom companies be enough to solve India’s 5g security concerns? And if not how can India develop a strategy to ensure that consumers have fair access to secure 5g networks?

Why have Chinese vendors been banned in other countries?

The primary concern from the West relates to Huawei’s proximity to the Chinese Government. Chinese legislation requiring Chinese companies to assist the State in matters of national intelligence are seen as obvious threats by the US and its allies in a situation wherein trust is hard to come by. While Huawei has stated that it would not cooperate with China in any form of geopolitical espionage, this has done little to quell suspicion. 

What does banning Chinese companies mean for Indian consumers?

As of right now, not much really. 5g is at an incredibly nascent stage and its adoption in India is estimated to be a few years away at the earliest, with no clear deadline on when some of the 5g spectrum will be auctioned off in India. Moreover, Chinese companies are as of now permitted to undertake 5g testing in the country.

However, in a hypothetical situation where these companies are banned, the effects will be seen in a few years time. The most obvious impact is that a ban for Chinese providers will result in a less competitive market consisting of fewer actors. Developing 5g in India is incredibly expensive for three reasons. Firstly, is the cost associated with upgrading infrastructure to that which is compatible and optimized for 5g. Secondly, India has the highest cost (reserve price) for purchasing spectrum in the world. Thirdly is existing debt among telecom companies. The costs involved in developing 5g to these companies, therefore, far outweighs the benefits. This problem will only be compounded by banning Chinese companies in the space, who are seen to operate cheaper than their European counterparts. Such a ban could therefore further delay 5g’s adoption in India by a significant amount of time.

Moreover, given the security concerns, the government could proceed with favouring Indian only companies within the sector.  With Reliance now claiming to have developed its own 5g technology within India it could result in a situation wherein it becomes the primary, or even sole, provider for 5g infrastructure in India. Any such corporate monopoly over such critical infrastructure would undoubtedly harm domestic consumers. 

Does banning Chinese companies solve India’s security concerns relating to 5g?

Despite all of the potential negative repercussions, the argument to exclude a hostile nation from potentially having access into Indian infrastructure is a persuasive one. Citizens data privacy and national security have to be prioritised over any marginal economic gains that may result from allowing Chinese corporations to be involved in 5g infrastructure. And it's feasible that the negative side effects regarding the rise of a domestic monopoly can be handled by effective State regulation. But this leaves us with the question, is banning Chinese companies all that the government has to do to ensure 5g is implemented securely?

Not really. Limiting the involvement of Chinese companies will undoubtedly remove certain threats of espionage, but this is far from the only concern with 5g. While 5g has made certain improvements in security when compared to 4g, it is far from unbreakable. Firstly, initial rollouts of 5g are expected to be done on top of existing cellular networks so as to avoid new infrastructure costs.  This interoperation of 5g with existing 4g (and in some cases 3g) networks will result in early 5g being subject to the same exploits that 4g is. 

Secondly, 5g presents a risk due to the additional avenues through which it can be attacked. 5gs software based routing system and its connection to a wide amount of traffic points through the internet of things (IOT) would create more points of potential vulnerability that can be exploited. Finally, the globally accepted standards of 5g themselves allow companies the discretion to implement them in a more lenient manner. This includes making optional the use of certain cypher algorithms that look to protect user integrity. So it would come as no surprise that companies motivated by the profit motive would in the future look to cut these corners, making the network less secure.

All of this comes together to mean one thing: no matter how many Chinese companies India excludes from its 5g infrastructure, it will never be absolutely secure. Moreover, needing such formalised access through a company has never been a prerequisite for a State to target another through a cyber attack. Cyber attacks perpetrated by external actors outside of companies or States have existed in the past and will continue to exist in the future. Now that isn’t to say that the government should include Chinese corporations in 5g - the concerns over espionage make it clear that they shouldn’t be involved. What it does say, however, is that this has to be one step in a larger 5g strategy that would look to ensure implementation while maintaining security.

 India’s 5g strategy

In order for 5g’s implementation in India to be successful it has to fulfil two criteria - it must be secure and it must generally be in the economic interest of the consumer. Both of these criteria can be met with a mixture of legislative and strategic decisions.

On the side of security, the most obvious step that can be taken would be to prevent the participation of those companies that are either primarily based in a hostile State or that can be significantly compromised through foreign legislation - such as Huawei and ZTE. In terms of legislative actions, the government must aim to address the security concerns regarding 5g as part of a dedicated cybersecurity law. Such a cybersecurity law must ensure that telecom companies are tasked with a duty of care to ensure cybersecurity and privacy of user data. This would compel companies working on 5g to ensure that they meet the highest threshold of security standards when implementing their networks. Such a law can also lay down strict requirements and standards of data encryptions that can serve to minimise damage in cases wherein a 5g system is compromised.

On the economic side, the government must view 5g as a form of critical infrastructure. If we are to believe the vision of a future wherein 5g is a necessity then the State must take steps to ensure its widespread availability to all sections of society by limiting its cost. Private participation in this sector must therefore be appropriately regulated keeping this goal in mind. Given the reduction in market actors for security reasons, there must be strict enforcement of competition laws to prevent domestic telecom providers from forming monopolies or cartels and setting exorbitant prices. One other way to reduce costs would be for the State to ensure that gaps in 5g supply chains are properly dealt with so as to reduce dependence on foreign States’ for components. Beyond these measures, consumers must also be educated so as to be able to make better informed decisions regarding their 5g access and have recourse to efficient grievance redressal mechanisms.

Ultimately if India is to ensure that 5g is implemented in a manner that is both safe and fair, it must look to balance out security and consumer benefit. And while banning Chinese corporations would make the system more secure, such an action would mean little without a series of additional steps to handle other security concerns with 5g while ensuring that Indian consumers don’t miss out.

This submission is a response by the researchers at CIS to the report “Designing the Future of Dispute Resolution: The ODR Policy Plan for India” prepared by the NITI Aayog Expert Committee on ODR. 

We have put forward the following comments based on our analysis of the draft report.

1. Structural considerations with ODR itself

• The report classifies ODR as a singular entity rather than a group of technologies that require different approaches.

• Currently ODR still has a number of functional limitations such as difficulty to account for nuance, limitation of algorithms and vulnerability of the systems.

• The report also fails to address how the psychological limitations involved with ODR, such as involving communication, perception and preferences of parties will be solved for when implemented at the national level. 
  
  

2. Socio-Economic considerations when transitioning to nation wide ODR 

• There is a lack of current access to digital infrastructure that limits ODR’s effectiveness.

• The projections made in the report disproportionately rely on market forces while suggesting a lack of mandated standards
  
  

3. Privacy and Security concerns with moving to ODR

• Need for greater clarity on oversight and regulation of ODR platforms

• An independent sectoral regulator is a necessity
  
  

4. Other comments 

• The opt out model proposed must be changed to allow for the option of ADR as well. 

 Link to full report:  https://cis-india.org/internet-governance/legal-and-policy-implications-of-autonomous-weapons-systems

Wars have been a part of human existence from the very beginning. However, the evolution of civilization has led to the evolution of wars. As a society, our discourse is now centred around on how this new generation of wars is best fought rather than whether at all to fight them. This inevitability of war has further led countries to develop means and methods of warfare, for inevitability of war is only acceptable when it is accompanied by the inevitability of victory. Autonomous Weapon Systems (AWS) or Lethal Autonomous Weapons Systems (LAWS) have, in recent times, sparked a global debate regarding what is being called the future of technology: artificial intelligence. In the backdrop of revolutionizing wars, AWS are being developed by certain countries to gain an edge over the others, forcing others to participate in the arms race of the 21st century in order to prevent asymmetric development of warfare. The international community must now contemplate the legal, moral and ethical implications of further developing existing automated weapons and giving them more autonomy than ever before. 

 It is to ally such concerns that a Group of Governmental Experts (GGE) was convened by the United Nations Convention on Certain Conventional Weapons (UN CCW) in December 2016, clearly demonstrating the global interest in the issue at hand. The Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which May Be Deemed to Be Excessively Injurious or to Have Indiscriminate Effects or the UN CCW was established with the aim of restricting weapons considered to cause unnecessary suffering and impact civilians disproportionately and indiscriminately. 

 
This paper is divided into 4 Chapters. 

Chapter I authored by Anoushka Soni defines and differentiates between certain key terms imperative for a better understanding of autonomous weapon systems in all its technicalities. Further, the Chapter also provides a broad overview of the difference in existing state practice by reviewing the lack of universality of a definition for autonomous weapons. 

Chapter II also authored by Anoushka Soni analyses autonomous weapons from the perspective of international humanitarian law. It first contemplates the prima facie illegality of autonomous weapons, and subsequently focuses on their lawful use with regard to the principles of distinction, proportionality and military necessity and the conclusion provides a normative look at the way forward. 

Chapter III authored by Elizabeth Dominic goes into the question of accountability and redress and evaluates models of criminal and civil liability in case autonomous weapons systems go wrong.

Chapter IV authored by Elizabeth Dominic  evaluates the role of the private sector in the development, trade and policy framework on autonomous weapons systems around the world.

For over a year, researchers at the Centre for Internet and Society have been studying website blocking by internet service providers (ISPs) in India. We have learned that major ISPs don’t always block the same websites, and also use different blocking techniques. To take this study further, and map net neutrality violations by ISPs, we need your help. We have developed CensorWatch, a research tool to collect empirical evidence about what websites are blocked by Indian ISPs, and which blocking methods are being used to do so. Read more about this project (link), download CensorWatch (link), and help determine if ISPs are complying with India’s net neutrality regulations.

Introduction

The ongoing COVID-19 pandemic is one of the biggest health emergencies to hit the world in a long time. The health measures recommended by experts for the prevention and containment of the spread of COVID-19 include regular washing of hands, wearing masks, maintaining physical distance, isolation of suspected cases, etc. At the community level case isolation and contact tracing have emerged as key elements of the comprehensive strategy to control the spread and transmission of COVID-19. To this end the government of India, launched a contact tracing app known as Aarogya Setu and encouraged (in certain cases with a tinge of intimidation) the people to install and use the same in order to bolster its contact tracing measures. 

Although a lot of attention has been given to the privacy issues related to the Aarogya Setu app, there has been comparatively less focus on the other measures taken by the Central and State governments for containment of COVID-19. Some of these measures include – stamping suspected cases with “Home Quarantine” using indelible ink (Maharashtra, Delhi, Karnataka), pasting notices outside the houses of individuals advised home quarantine (Delhi, Mumbai), establishing containment zones around the residences of COVID-19 positive patients, releasing the names and addresses of COVID-19 positive patients, etc. It is obvious that all these measures involve some measure of violation of the right to privacy of the individual concerned. However (as mentioned above) there has been little public discussion around the privacy rights violated by these measures, especially when one compares it to the media attention garnered by the privacy issues related to the Aarogya Setu app. It is not easy to find the reasons behind most of the measures mentioned above in official government guidelines as  the guidelines themselves are often not publicly present or readily available online.Wherever such guidelines are available, such as the Central Government guidelines regarding containment zones, they do not contain any background as to why the government feels that such measures are needed. 

Although it is obvious enough to everyone that there are privacy issues involved in the government measures listed above however that does not necessarily mean that these measures necessarily violate the right to privacy of an individual. This is because like any other legal right, the right to privacy is also not absolute and in certain cases the right to privacy has to give way to other considerations. We shall therefore discuss the privacy implications of the different government actions in this series of posts, each of which shall analyze one specific type of government response to determine whether it complies with the principle of protection of the right to privacy. In this particular piece we shall examine whether releasing the names of COVID positive patients violates their right to privacy.

The Law on Privacy

The right to privacy was not always recognized under Indian law, in fact early Supreme Court decisions such as M.P. Sharma v. Satish Chandra, [AIR 1954 SC 30] and Kharak Singh v. State of U.P., [AIR 1963 SC 1295] specifically denied the existence of a right to privacy. The first semblance of judicial recognition for the right to privacy was the minority opinion in Kharak Singh which was later adopted as the majority view in Gobind v. State of M.P., [(1975) 2 SCC 148] to uphold the existence of a right to privacy in India. However due to the fact that Gobind and other decisions recognizing the right to privacy such as R. Rajagopal v. State of Tamil Nadu, [(1994) 6 SCC 632] and People’s Union for Civil Liberties v. Union of India, [(1997) 1 SCC 301] were delivered by smaller Benches of the Supreme Court, a Nine Judge Bench was constituted in K.S. Puttaswamy v. Union of India, [(2017) 10 SCC 1] to authoritatively decide the existence and scope of the right to privacy. The Supreme Court in Puttaswamy not only categorically recognized the right to privacy, but also discussed in detail its origins and scope as well as the circumstances under which the right may be limited. 

While a detailed analysis of the judgment and the law of privacy itself is beyond the scope of this paper, it might be useful to recount here the brief essence of the Puttaswamy judgment. Since there were six different orders delivered in this case, for the sake of avoiding any confusion, we will discuss only the judgment delivered by Justice D.Y. Chandrachud since that was the judgment delivered on behalf of four Judges (while the other five judgments were delivered on behalf of individual Judges), and therefore would have the most weight as a precedent. In this judgment it was held that privacy is a constitutionally protected right emerging not only from the right to privacy guaranteed under Article 21 of the Constitution but its elements also arise in varying contexts from other facets of freedom and dignity recognized and guaranteed under other fundamental rights. It was further held that not only does privacy include at its core the preservation of human intimacies, it also connotes a right to be left alone. While the legitimate expectation of privacy may vary from the private to the public arenas, it is not lost or surrendered merely because the individual is in a public place since it is an essential facet of the dignity of the human being. Informational privacy has also been specifically recognized as a facet of the right to privacy. 

Most importantly the Court held that like other fundamental rights the right to privacy is also not an absolute right. However an invasion of privacy has to be justified on the basis of a law which stipulates a procedure which is just, fair and reasonable. The Court specified a three-fold test for any action that violates the right to privacy: (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them. We will examine the various State actions in light of the principles above and analyse whether each of these actions satisfy the three-fold test laid down in Puttaswamy.

Analysis of Government Action 

In a number of states such as Uttar Pradesh, Orissa, etc. a daily list of the names, age, address, etc. of the individuals who have been reported to be COVID positive is released and widely circulated. Although this practice may now have ceased in some places, previously such lists were released either through the conscious actions or the negligence of the state health authorities. The release of such information in the public domain clearly has privacy repercussions for the individuals concerned. Besides, these actions also seem to be at odds with the Guidelines issued by the Central Government titled “Addressing Social Stigma Associated with COVID-19” which categorically ask the public not to spread names or identity of those affected or under quarantine or their locality on social media. The Madras High Court in a recent decision (K. Narayanan v. Chief Secretary, Government of Tamil Nadu) relied on the above Guidelines to reject a petition requiring the state government to publish the names of all COVID positive patients on a website. The reason for such a prayer was to warn the public to stay away from such COVID positive patients in order to prevent the spread of the disease. However this argument was categorically rejected by the Court on the ground that publishing the names may lead to law and order problems as well as social stigma for the patients and their families. 

The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 also require physicians to keep patient information confidential except in situations where such information needs to be used to prevent a healthy person from being exposed to a communicable disease (Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002, Chapter II, section 2.2). Even the World Health Organization’s Guidance on contact tracing requires that “ethics of public health information, data protection, and data privacy must be considered at all levels of contact tracing activities” and that safeguards must be put in place to guarantee privacy and data protection in accordance with the legal frameworks of the countries. The Supreme Court in the case of Mr. “X” vs. Hospital “Z”, [AIR 1999 SC 495] has also upheld the right to privacy of a patient regarding his medical records, except insofar as it may be necessary to disclose such information in order to protect third parties from harm.

As far as the legal framework of the right to privacy is concerned, the Supreme Court in Puttaswamy clearly states that the sphere of privacy stretches to those matters where there is a reasonable expectation of privacy and then specifically recognizes medical information as a category of data where such an expectation of privacy would exist. The specific example of medical records is used by the Supreme Court to illustrate the point on balancing a legitimate state interest in the private information of its citizens vis-à-vis the individual’s right to privacy. It was recognized that although medical records are generally protected by the right to privacy, the state may assert a legitimate interest in analyzing medical records to understand and deal with a public health epidemic to prevent a serious impact on the population. However the Court put a very important caveat saying that such information may be used by the state if it preserves the anonymity of the individual. Thus the state may assert a legitimate interest in acquiring and using health records of individuals to deal with an epidemic provided it preserves the anonymity of the individual. 

The above illustration from the judgement seems to suggest that the State only has the power to retain the health records of individuals if their anonymity is preserved and does not have the power to make such records public at all. However this interpretation was implicitly rejected by the Orissa High Court in Ananga Kumar Otta v. Union of India and others, (Writ Petition (PIL) No.12430 of 2020, Order dated 16-07-2020). A PIL (Public Interest Litigation) was filed by an advocate asking the Court to issue directions to the state authorities to take action against those persons whose actions or negligence led to the disclosure of the names of COVID positive patients and also to ensure that such events do not happen in the future. The State of Odisha claimed that it had passed the Odisha COVID-19 Regulations, 2020 which provided that the name, exact address and phone number of persons under treatment should not be disclosed, except in special circumstances affecting public health and safety and with the approval of the State Government. Discussing (and implicitly upholding) the Regulations the Court refused to pass a blanket order preventing the disclosure of the names of COVID patients as the Regulations provided that there would be no indiscriminate disclosure, rather any disclosure of identity would only be in exceptional circumstances. The Court however clarified that any action of disclosure under these exceptional circumstances as per the Regulations would also have to satisfy the triple test laid down in Puttaswamy.  

Conclusion

The legal position that emerges from the above analysis is that the names and addresses of COVID positive patients cannot be released by the state authorities under normal circumstances as this would be violative of the right to privacy. However since the right to privacy is not absolute and is subject to exceptions, therefore there can be no absolute ban on releasing the names of COVID positive patients and such an act may be allowed under exceptional circumstances, although no such circumstance has been considered or illustrated by any Court till date. The only scenario in which such disclosures were allowed was when the Odisha government wanted to release the names of deceased COVID warriors (government employees engaged in COVID containment activities) so as to bestow them with appropriate state honors during their funeral. However even this act was done only with the previous consent of the family members of the deceased. 

Thus while the law leaves scope for situations where the names of COVID positive patients may be released by the state authorities, no specific examples of such situations have been listed out by the Courts. The only guidance given by Courts in this regard is that any such disclosure would have to satisfy the established exceptions to the right to privacy, more specifically the three-fold test laid down by the Supreme Court in Puttaswamy of legality, proportionality and legitimate state interest.

Today marks three years since the Supreme Court of India recognised the fundamental right to privacy, but the ideals laid down in the Puttaswamy Judgment are far from being completely realized. Through our research, we invite you to better understand the judgment and its implications, and take stock of recent issues pertaining to privacy.  

1. Amber Sinha dissects the Puttaswamy Judgment through an analysis of the sources, scope and structure of the right, and its possible limitations. [link]

2. Through a visual guide to the fundamental right to privacy, Amber Sinha and Pooja Saxena trace how courts in India have viewed the right to privacy since Independence, explain how key legal questions were resolved in the Puttaswamy Judgement, and provide an account of the four dimensions of privacy — space, body, information and choice — recognized by the Supreme Court. [link]

3. Based on publicly available submissions, press statements, and other media reports, Arindrajit Basu and Amber Sinha track the political evolution of the data protection ecosystem in India, on EPW Engage. They discuss how this has, and will continue to impact legislative and policy developments. [link] 

4. For the AI Policy Exchange, Arindrajit Basu and Siddharth Sonkar examine the  Automated Facial Recognition Systems (AFRS), and define the key legal and policy questions related to privacy concerns around the adoption of AFRS by governments around the world. [link]

5. Over the past decade, reproductive health programmes in India have been digitising extensive data about pregnant women. In partnership with Privacy International, we studied the Mother and Child Tracking system (MCTS), and Ambika Tandon presents the impact on the privacy of mothers and children in the country. [link] 

6. While the right to privacy can be used to protect oneself from state surveillance, Mira Swaminathan and Shubhika Saluja write about the equally crucial problem of lateral surveillance — surveillance that happens between individuals, and within neighbourhoods, and communities — with a focus on this issue during the COVID-19 crisis. [link]

7. Finally, take a dive into the archives of the Centre for Internet and Society to read our work, which was cited in the Puttaswamy judgment — essays by Ashna Ashesh, Vidushi Marda and Bhairav Acharya that displaced the notion that privacy is inherently a Western concept, by attempting to locate the constructs of privacy in Classical Hindu [link], and Islamic Laws [link]; and Acharya’s article in the Economic and Political Weekly, which highlighted the need for privacy jurisprudence to reflect theoretical clarity, and be sensitive to unique Indian contexts [link].