Centre for Internet and Society

Calcutta High Court Strengthens Whistle Blower Protection

divij — 2014-02-24T06:38:44Z

Calcutta High Court has ordered for protection of whistle blower's privacy in its November 20, 2013 order. The court has directed the government to accept RTI applications without the applicant's personal details.

In the absence of any law for the protection of whistle-blowers in the country, exposing the rampant corruption in our public institutions has become a hazardous occupation, with reports of threat and intimidation and even incidents of murder of whistle-blowers commonplace.[1] With the Whistle blower’s Protection Bill in abeyance and without any strict laws protecting the identities of the whistle-blowers who challenge such a corrupt system, even the mechanisms like the Right to Information Act which are meant to safeguard against systemic abuse and ensure transparency are being severely undermined.

For this reason, the Calcutta High Court’s affirmation of whistle-blowers’ privacy and identity protection is an important development. Through its order on the 20th of November, 2013, the Calcutta High Court held that for the purposes of section 6(2), which requires an application to the Public Information Officer to provide contact details of the applicant, it is sufficient in such application to disclose only the post-box number of the applicant. The court directed the Government to accept RTI applications without personal details or detailed whereabouts, when a post-box number or sufficient detail has been provided to establish contact between the whistle-blower and the authority. However if a public authority has any difficulty contacting the applicant through the Post Box No. the applicant may be asked to provide other contact details. The court further directed that personal details of applicants are not to be posted on the authorities’ websites.

The order, which was notified by the Government last week, ensures to some extent the protection of a whistle-blowers identity, and reduces the chances of the RTI being undermined by threats or acts of violence by those who are a part of the corrupt system, against persons exercising their right to information. However, its implementation is liable to be contingent on the authorities’ interpretation of when it would be “difficult” to establish contact between the authority and the applicant. Certain practical difficulties could also undermine the actual impact of the order, such as the fact that many applications are sent through registered or speed post, which cannot be mailed to a post-box number, especially since ordinary post cannot be tracked online like speed or registered post.[2]

Developing a system in which ordinary citizens do not have to fear retaliation for exposing corruption requires a comprehensive legislation protecting whistle-blowers identities and ensuring data security. However, the important message this judgement sends out is that the judiciary is still committed to protecting whistle-blowers, in lieu of the government’s actions. This is a particularly important stance taken by the Court, considering the Supreme Court in the past has refused to frame guidelines for whistle-blower protection, citing the imperative in enacting a whistle-blower legislation to be the Parliament’s.[3]

A full text of the judgement is available here.

[1].Whistleblower shot dead in Bihar, THE HINDU, available at http://www.thehindu.com/news/national/whistleblower-shot-dead-in-bihar/article4542293.ece; Tamil Nadu Whistleblower alleges death threats; Silence from Government, NDTV, available at http://www.ndtv.com/article/india/tamil-nadu-whistleblower-alleges-death-threats-silence-from-govt-410450.

[2]. Indian Postal Tracking Portal, http://www.indiapost.gov.in/tracking.aspx.

[3]. Supreme Court refuses to frame guidelines for protection of whistleblowers, Daily News and Analysis, available at http://www.dnaindia.com/india/report-supreme-court-refuses-to-frame-guideline-for-protection-of-whistleblowers-1525622.

For more details visit http://editors.cis-india.org/internet-governance/blog/calcutta-hc-strengthens-whistle-blower-protection

ಭಾರತೀಯ ಡಿಎನ್ಎ ಪ್ರೊಫೈಲಿಂಗ್ ಮಸೂದೆಯ ಸೀಳುನೋಟ

praskrishna — 2012-10-03T15:42:54Z

ಭಾರತೀಯ ದಂಡಸಂಹಿತೆಯನ್ನು ೨೦೦೫ರಲ್ಲಿ ತಿದ್ದುಪಡಿ ಮಾಡಲಾಯಿತು. ಇದರ ಉದ್ದೇಶ ಆಪಾದಿತರನ್ನು ಬಂಧಿಸಿದಾಗ ಅವರ ಬಗ್ಗೆ ವಿವಿಧ ವೈದ್ಯಕೀಯ ಮಾಹಿತಿ ಸಂಗ್ರಹಿಸಲು ಕಾನೂನುರೀತ್ಯಾ ಅವಕಾಶ ಕಲ್ಪಿಸುವುದು.

ದಂಡಸಂಹಿತೆಯ ಸೆಕ್ಷನ್ ೫೩ರ ಪ್ರಕಾರ, ಅಪರಾಧವನ್ನು ಸಾಬೀತು ಪಡಿಸಲು ವೈದ್ಯಕೀಯ ಪರೀಕ್ಷೆ ಸಾಕ್ಷ್ಯ ಒದಗಿಸುತ್ತದೆ ಎಂದು “ನಂಬಲು ತಕ್ಕಮಟ್ಟಿನ ಕಾರಣಗಳಿದ್ದರೆ”, ಆಪಾದಿತನನ್ನು ಬಂಧಿಸಿದಾಗ ಆತನನ್ನು ವೈದ್ಯಕೀಯ ಪರೀಕ್ಷೆಗೆ ಒಳಪಡಿಸಬಹುದು. ೨೦೦೫ರ ತಿದ್ದುಪಡಿಯ ಮೂಲಕ, ಈ ಪರೀಕ್ಷೆಯ ವ್ಯಾಪ್ತಿಯನ್ನು ಇವೆಲ್ಲವನ್ನು ಸೇರಿಸಿಕೊಳ್ಳಲಿಕ್ಕಾಗಿ ವಿಸ್ತರಿಸಲಾಯಿತು: ರಕ್ತದ, ರಕ್ತಕಲೆಗಳ, ವೀರ್ಯದ ಪರೀಕ್ಷೆ, ಲೈಂಗಿಕ ಅಪರಾಧಗಳಲ್ಲಿ ಸ್ವಾಬ್ಗಳ ಪರೀಕ್ಷೆ, ಉಗುಳು, ಬೆವರು, ಕೂದಲಿನ ಸ್ಯಾಂಪಲ್ ಮತ್ತು ಉಗುರಿನ ತುಂಡುಗಳ ಪರೀಕ್ಷೆ. ನಿರ್ದಿಷ್ಟ ಪ್ರಕರಣದಲ್ಲಿ ಅವಶ್ಯವೆಂದು ನೋಂದಾಯಿತ ವೈದ್ಯರು ಭಾವಿಸುವ ಡಿಎನ್ಎ ಪ್ರೊಫೈಲಿಂಗ್ ಹಾಗೂ ಅಂತಹ ಇತರ ಪರೀಕ್ಷೆಗಳ ಸಹಿತವಾಇ ಆಧುನಿಕ ಮತ್ತು ವೈಜ್ನಾನಿಕ ವಿಧಾನಗಳನ್ನು ಬಳಸಿ ವೈದ್ಯಕೀಯ ಪರೀಕ್ಷೆ ನಡೆಸಬೇಕು.

ಕ್ರಿಮಿನಲ್ ಪ್ರಕರಣದಲ್ಲಿ ಆಪಾದಿತ ಷಾಮೀಲಾಗಿರುವುದನ್ನು ತಿಳಿಯಲಿಕ್ಕಾಗಿ ಡಿಎನ್ಎ ಪರೀಕ್ಷೆಗೆ ಆದೇಶ ನೀಡುವುದರ ಕಾನೂನುಬದ್ಧತೆಯನ್ನು ತೊಗೊರಾಣಿ ಅಲಿಯಾಸ್ ಕೆ. ದಮಯಂತಿ ವರ್ಸಸ್ ಒರಿಸ್ಸಾ ಸ್ಟೇಟ್ ಮತ್ತು ಇತರರು (೨೦೦೪ ಕ್ರಿಮಿನಲ್ ಎಲ್ಜೆ ೪೦೦೩ – ಒರಿಸ್ಸಾ) ಪ್ರಕರಣದಲ್ಲಿ ಒರಿಸ್ಸಾ ಹೈಕೋರ್ಟ್ ಎತ್ತಿ ಹಿಡಿದಿದೆ. ಡಿಎನ್ಎ ಪರೀಕ್ಷೆಗೆ ಆಪಾದಿತ ಸಹಕರಿಸದಿದ್ದರೆ, ಅವನ ಬಗ್ಗೆ ವ್ಯತಿರಿಕ್ತ ಅಭಿಪ್ರಾಯ ಮೂಡುತ್ತದೆ.

ಈ ವಿಷಯದಲ್ಲಿ ವೈಯುಕ್ತಿಕ ಗೌಪ್ಯತೆಯ ಅಂಶಗಳನ್ನು ಪರಿಗಣಿಸಿದ ಬಳಿಕ, ಡಿಎನ್ಎ ಪರೀಕ್ಷೆ ಆದೇಶಿಸುವ ಮುನ್ನ, ಈ ವಿಚಾರಗಳನ್ನು ಪರಿಗಣಿಸಬೇಕೆಂದು ಹೈಕೋರ್ಟ್ ನಿರ್ದೇಶನ ನೀಡಿದೆ: (೧) ಅಪರಾಧ ಎಸಗುವುದರಲ್ಲಿ ಆಪಾದಿತನು ಎಷ್ಟರ ಮಟ್ಟಿಗೆ ಭಾಗವಹಿಸಿರಬಹುದು? (೨) ಅಪರಾಧದ ಗಂಭೀರತೆ ಮತ್ತು ಅಪರಾಧ ಎಸಗಿದ ಸಂದರ್ಭ (೩) ಆಪಾದಿತನ ಪ್ರಾಯ, ದೈಹಿಕ ಮತ್ತು ಮಾನಸಿಕ ಆರೋಗ್ಯ (೪) ಅಪರಾಧದಲ್ಲಿ ಆಪಾದಿತ ಭಾಗವಹಿಸಿದ್ದನ್ನು ಖಚಿತಪಡಿಸುವ ಅಥವಾ ಖುಲಾಸೆ ಮಾಡುವ ಸಾಕ್ಷಾಧಾರಗಳನ್ನು ಸಂಗ್ರಹಿಸುವ ಕಡಿಮೆ ಆತಂಕಕಾರಿಯಾದ ಮತ್ತು ಕಾರ್ಯಸಾಧ್ಯವಾದ ಇತರ ವಿಧಾನಗಳು ಇವೆಯೇ? (೫) ಆಪಾದಿತನು ಡಿಎನ್ಎ ಪರೀಕ್ಷೆಗೆ ಒಪ್ಪಿಗೆ ನಿರಾಕರಿಸಲು ಕಾರಣಗಳೇನು?

ಸಂಸತ್ತಿನ ಅನುಮೋದನೆಗಾಗಿ ಕಾದಿರುವ ೨೦೦೭ರ ಡಿಎನ್ಎ ಪ್ರೊಫೈಲಿಂಗ್ ಮಸೂದೆಯ ಉದ್ದೇಶವನ್ನು ಚುಟುಕಾಗಿ ಹೀಗೆ ಹೇಳಬಹುದು: “ದೇಶದ ಕ್ರಿಮಿನಲ್ ನ್ಯಾಯವ್ಯವಸ್ಥೆಯ ಕಿಂಚಿತ್ ಸಂಪರ್ಕಕ್ಕೆ ಬಂದವರೆಲ್ಲರ ಡಿಎನ್ಎ ವಿವರಗಳನ್ನು ದಾಖಲಿಸುವ “ಕೇಂದ್ರ ಡಿಎನ್ಎ ಮಾಹಿತಿ ಬ್ಯಾಂಕನ್ನು” ರಚಿಸುವ ಮಹತ್ವಾಕಾಂಕ್ಷಿ ಪ್ರಯತ್ನ.” ಅಂದರೆ, ಸಂಶಯಕ್ಕೆ ಒಳಗಾದ ವ್ಯಕ್ತಿಗಳು, ಕಾನೂನು ಮುರಿಯುವವರು, ಕಾಣೆಯಾದ್ವರು ಮತ್ತು ಸ್ವ-ಇಚ್ಚೆಯವರು – ಇವರ ಡಿಎನ್ಎ ವಿವರಗಳ ಡಿಎನ್ಎ ಮಾಹಿತಿ

For more details visit http://editors.cis-india.org/news/cadcbecb0ca4caf-ca1cbfc8eca8ccdc8e-caaccdcb0cabcb2cbfc82c97ccd-caecb8cc2ca6cc6caf-cb8cb3cc1ca8c9f

C-DoT's surveillance system making enemies on internet

praskrishna — 2014-04-04T09:45:37Z

Reporters Without Boundaries says it gives unbridled power to law- enforcement agencies to snoop on citizens.

The article by Krishna Bahirwani was published in DNA on March 21, 2014. Sunil Abraham is quoted.

The Central Monitoring System (CMS) developed by the Centre for Development of Telematics (C-DoT) has come under fire from a France based non-profit organisation, which claims the system has the capacity to directly snoop on all forms of communications over phone and internet, without involving telecom operators.

The NGO's Reporters Without Boundaries report 2014, 'Enemies Of The Internet' has equated C-DoT with Government Communications Headquarters (GCHQ) in the UK, and the US's National Security Agency (NSA), which recently came under criticism for spying on citizens.

CMS, India's mass electronic surveillance system, was rolled out in 2013.

Before the CMS, tapping was done by the telecom operators, but not before taking prior permission. The CMS gives direct access to C-DoT employees and law-enforcement agencies.

CMS has created an automated front containing central and regional databases, which central and state government agencies can use to intercept and monitor any landline, mobile or internet connection in India.

Minister of state for information technology Milind Deora said, "The new data collection system will actually improve citizens' privacy because telecommunications companies would no longer be directly involved in the surveillance."

Asked what would prevent C-DoT employees, who would have access to data, from misusing it, Deora said, "There is a switching mechanism (that) diverts the call to law-enforcement agencies and eliminates layers. The existing surveillance and interception system is actually insecure as the operator, people from the home ministry and other government officials have access to the data. The CMS will erase such people from play."

"I want the people to know the design aspects and how the system is being used for lawful interceptions, so that they can shed their inhibitions We do not want to put power in the hands of the bureaucrats" he said.

Harold Dcosta, a cyber security expert who trains Maharashtra and Goa police, said, "It's possible that employees of CDoT/law enforcement agencies could use the information gathered by CMS for personal or political use although 43 and 43 A of the IT Act would protect people when something like that happens and will give the person compensation.

He said, "There should be more transparency with regard to CMS".

Sunil Abraham, executive director of Bangalore-based non-profit Centre for Internet and Society said the mistaken assumption in their thinking is technology will serve as a check and balance.

"Technology can always be compromised," he said. There is no way to find out about what is actually going on. If the CMS is abused it is very difficult to prove."

Deora said a privacy law is being drafted to address these issues. Last month, a parliamentary standing committee rejected the government claim that IT Act protects citizens' privacy. The committee, chaired by former Congress MP Rao Inderjit Singh, said, "The committee is extremely unhappy to note that the government is yet to institute a legal framework on privacy."

For more details visit http://editors.cis-india.org/news/dna-march-21-2014-krishna-bahirwani-c-dots-surveillance-system-making-enemies-on-internet

Bumpy road ahead for RFID Tags in vehicles

praskrishna — 2016-12-10T04:31:11Z

The government plans to make digital tags in vehicles mandatory to ensure seamless passage at the toll booths, but the implementation of the proposed move may not be so smooth.

The article by Smriti Sharma Vasudeva was published in the Statesman on December 7, 2016. Pranesh Prakash was quoted.

On one hand, the digital tags stand to compromise the safety of the vehicle and the owners, while on the other, majority of automobiles manufacturing companies claim that the vehicles are being equipped with the digital tags since 2013 and it is the implementation of the order that has been grossly ineffective.

Post the recent demonetisation, as a part of the government’s efforts towards a cashless society, Economic Affairs Secretary Shaktikanta Das stated that the union government has advised the automobile manufacturers to provide a digital identity tag in all new vehicles, including cars, to enable electronic payment at all toll plazas and ensure seamless movement at check posts.

He said the provision of Electronics Product Code Global Incorporated (EPCG)-compliant Radio Frequency Identification (RFID) facility in all new vehicles will ensure payment of toll digitally and also avoid the waiting time, and the vehicles will move seamlessly without having to wait at check posts. “This will improve the functioning of toll plaza, digital payments,” Das said.

In fact, the move to mandate all the vehicles with RFID tags was first made in 2013 when the then government made it compulsory to install Radio Frequency Identification (RFID) tags on the medium and heavy motor vehicles through the proposed rule 138A of the Central Motor Vehicle Rules, 1989. However, the same could not be fully implemented for several reasons and was also opposed by public and advocacy groups alike.

In 2013, the Centre for Internet and Society (CIS), a non-profit organisation sent an open letter to the Society of Indian Automobile Manufacturers (SIAM) to urge them not to install RFID tags in vehicles in India as the legality; necessity and utility of RFID tags had not been adequately proven.

The letter stated that such technologies raise major ethical concerns, since India lacks privacy legislation, which could safeguard individual’s data. The letter added that the proposed rule 138A of the Central Motor Vehicle Rules, 1989, mandates that RFID tags are installed in all light motor vehicles in India.

However, section 110 of the Motor Vehicles Act (MV Act), 1988, does not bestow on the Central Government a specific empowerment to create rules in respect to RFID tags. Thus, the legality of the proposed rule 138A is questioned, and we urge you to not proceed with an illegal installation of RFID tags in vehicles until the Supreme Court has clarified this issue.

Speaking to The Statesman, Pranesh Prakash, Policy Director, Centre for Internet and Society said, “Our stand remains the same as it was three years ago when we spoke out against this move: mandating RFID tags in all vehicles is a terrible idea, and a privacy and security nightmare. “It is important to ensure that RFID tagging (and other similar technologies, like automated licence plate readers) do not end up as a means of engaging in mass surveillance and tracking, which would be contrary to the judgments of the Supreme Court in cases like Kharak Singh vs the Union Government.

“The government has not provided any safeguards — such as mandating non-storage of any vehicle-identifying data. The government has asked manufacturers of all vehicles to include trackers, not just for goods vehicles or mass transport vehicles.

“Nor has the government come up with any standards to ensure security of the RFID tags — to prevent unauthorized third parties from tracking you or deducting money from your account. In short, the government should immediately retract its advice to vehicle manufacturers, and should work with experts to fix these problems,” Prakash said.

For more details visit http://editors.cis-india.org/internet-governance/news/statesman-december-7-2016-smriti-sharma-vasudeva-bumpy-road-ahead-for-rfid-tags-in-vehicles

Building a Community of Practice: Reflections from 2nd All Partners

Admin — 2018-12-01T04:18:52Z

On Wednesday, November 14th, the Partnership on AI held its 2nd annual All Partners Meeting in San Francisco, California. Representatives from our 80+ member organizations – for-profit companies, civil society organizations, academic institutions, and advocacy groups – traveled from across the globe to reflect on 2018 progress, and to plan for the future.

Elonnai Hickok participated in the event held in San Francisco on November 14 and 15, 2018. The event was organized by Partnership on AI. On November 14, Elonnai spoke on the panel on the PAI working groups and on November 15 she co-lead the AI Labor and Economy working group meeting as co-chair of the group. More details can be accessed here.

For more details visit http://editors.cis-india.org/internet-governance/news/building-a-community-of-practice-reflections-from-2nd-all-partners

BSides Delhi 2019 Security Conference

Admin — 2019-10-20T06:47:26Z

Karan Saini attended the BSides Delhi security conference on October 11, 2019. The event was organized by Bsides Delhi in New Delhi.

Click to view the agenda here. Videos of the event can be viewed here.

For more details visit http://editors.cis-india.org/internet-governance/news/bsides-delhi-2019-security-conference

Brochures from Expos on Smart Cards, e-Security, RFID & Biometrics in India

maria — 2013-12-26T05:24:39Z

Electronics Today organised a series of expos on smart cards, e-security, RFID and biometric technology in Delhi on 16-18 October 2013. The Centre for Internet and Society is sharing the brochures it collected from these public expos for research purposes.

In Pragati Maidan, New Delhi, many companies from India and abroad gathered to exhibit their products at the following expos which were organised by Electronics Today (India's first electronic exhibition organiser) on 16-18 October 2013:

SmartCards Expo 2013
e-Security Expo 2013
RFID Expo 2013
Biometrics Expo 2013

The Centre for Internet and Society (CIS) attended these exhibitions for research purposes and is sharing the publicly available brochures it gathered through the attached zip file. The use of these brochures constitutes Fair Use.

For more details visit http://editors.cis-india.org/internet-governance/blog/brochures-from-expos-in-india-2013

Briefing on BBC News pan-India research on how 'fake news' / digital misinformation spreads

Admin — 2018-12-05T14:01:10Z

Amber Sinha participated in a special private briefing on the BBC's pan India research on how misinformation spreads. The briefing was conducted on November 16, 2018 in New Delhi.

The briefing was very useful in understanding both the methodology employed by the researchers, and how they arrived ate certain findings. The report can be accessed here.

For more details visit http://editors.cis-india.org/internet-governance/news/briefing-on-bbc-news-pan-india-research-on-how-fake-news-digital-misinformation-spreads

Breeding misinformation in virtual space

amber — 2017-12-08T02:24:29Z

A well-informed citizenry and institutions that provide good information are fundamental to a functional democracy.

The phenomenon of fake news has rece-ived significant sc-holarly and media attention over the last few years. In March, Sir Tim Berners Lee, inventor of the World Wide Web, has called for a crackdown on fake news, stating in an open letter that “misinformation, or fake news, which is surprising, shocking, or designed to appeal to our biases, can spread like wildfire.”

Gartner, which annually predicts what the next year in technology will look like, highlighted ‘increased fake news’ as one of its predictions.

The report states that by 2022, “majority of individuals in mature economies will consume more false information than true information. Due to its wide popularity and reach, social media has come to play a central role in the fake news debate.”

Researchers have suggested that rumours penetrate deeper within a social network than outside, indicating the susceptibility of this medium. Social networks such as Facebook and communities on messaging services such as Whats-App groups provide the perfect environment for spreading rumours. Information received via friends tends to be trusted, and online networks allow in-dividuals to transmit information to many friends at once.

In order to understand the recent phenomenon of fake news, it is important to recognise that the problem of misinformation and propaganda has existed for a long time. The historical examples of fake news go back centuries where, prior to his coronation as Roman Emperor, Octavian ran a disinformation campaign against Marcus Antonius to turn the Roman populace against him.

The advent of the printing press in the 15th century led to widespread publication; however, there were no standards of verification and journalistic ethics. Andrew Pettigrew wri-tes in his The Invention of News, that news reporting in the 16th and 17th centuries was full of portents about “comets, celestial apparitions, freaks of nature and natural disasters.”

In India, the immediate cause for the 1857 War of Indepen-dence was rumours that the bones of cows and pigs were mixed with flour and used to grease the cartridges used by the sepoys.

Leading up to the Second World War, the radio emerged as a strong medium for dissemination of disinformation, used by the Nazis and other Axis powers. More recently, the milk miracle in the mid-1990s consisting of stories of the idol of Ganesha drinking milk was a popular fake news phenomenon. In 2008, rumours about the popular snack, Kurkure, being made out of plastic became so widespread that Pepsi, its holding company, had to publicly rebut them.

A quick survey by us at the Centre of Internet and Society, for a forthcoming report, of the different kinds of misinformation being circulated in India, suggested four different kinds of fake news.

The first is a case of manufactured primary content. This includes instances where the entire premise on which an argument is based is patently false. In August 2017, a leading TV channel reported that electricity had been cut to the Jama Masjid in New Delhi for non-payment of bills. This was based on a false report carried by a news portal.

The second kind of fake news involves manipulation or editing of primary content so as to misrepresent it as something else. This form of fake news is often seen with respect to multimedia content such as images, pictures, audios and videos. These two forms of fake news tend to originate outside traditional media such as newspapers and television channels, and can be often sourced back to social media and WhatsApp forwards.

However, we see such unverified stories being picked up by traditional media. Further, there are instances where genuine content such as text and pictures are shared with fallacious contexts and descriptions. Earlier this year, several dailies pointed out that an image shared by the ministry of home affairs, purportedly of the floodlit India-Pakistan border, was actually an image of the Spain-Morocco border. In this case, the image was not doctored but the accompanying information was false.

Third, more complicated cases of misinformation involve the primary content itself not being false or manipulated, but the facts when they are reported may be quoted out of context. Most examples of misinformation spread by mainstream media, which has more evolved systems of fact checking and verification, and editorial controls, would tend to fall under this.

Finally, there are instances of lack of diligence in fully understanding the issues before reporting. Such misrepresentations are often encountered while reporting in fields that require specialised knowledge, such as science and technology, law, finance etc. Such forms of misinformation, while not suggestive of malafide intent can still prove to be quite dangerous in shaping erroneous opinions.

While the widespread dissemination of fake news contributes greatly to its effectiveness, it also has a lot to do with the manner in which it is designed to pander to our cognitive biases. Directionally motivated reasoning prompts people confronted with political information to process it with an intention to reach a certain pre-decided conclusion, and not with the intention to assess it in a dispassionate manner. This further results in greater susceptibility to confirmation bias, disconfirmation bias and prior attitude effect.

Fake news is also linked to the idea of “naïve realism,” the belief people have that their perception of reality is the only accurate view, and those in disagreement are necessarily uninformed, irrational, or biased. This also explains why so much fake news simply does not engage with alternative points of view.

A well-informed citizenry and institutions that provide good information are fundamental to a functional democracy. The use of the digital medium for fast, unhindered and unchecked spread of information presents a fertile ground for those seeking to spread misinformation. How we respond to this issue will be vital for democratic societies in our immediate future. Fake news presents a complex regulatory challenge that requires the participation of different stakeholders such as the content disseminators, platforms, norm guardians which include institutional fact checkers, trade organisations, and “name-and-shaming” watchdogs, regulators and consumers.

For more details visit http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-december-3-2017-

Breach Notifications: A Step towards Cyber Security for Consumers and Citizens

Amelia Andersdotter — 2017-11-14T15:38:15Z

Through the Digital India project the Indian government is seeking to establish India as a digital nation at the forefront. Increasingly, this means having good cyber-security policies in place and enabling a prosperous business environment for companies that implement sound cyber-security policies. This paper will look at one such policy, which enables investments in cyber-security for IT products and services through giving consumers a way to hold business owners and public authorities to account when their security fails.

Electronic data processing has awarded societies with lots of opportunities for improvements that would not have been possible without them. Low market entrance barriers for new innovators have caused a flood of applications and automations that have the potential to improve citizens’ and consumers’ lives, as well as government operations. But while the increasing prevalence of electronic hardware and programmable software in many different parts of society and industry, combined with the intricate value chains of international communications networks, devices and equipment markets and software markets, have created a large number of opportunities for economic, social and public activity, they have also brought with them a number of specific problems pertaining to consumer rights.

Read full report here

For more details visit http://editors.cis-india.org/internet-governance/blog/breach-notifications-a-step-towards-cyber-security-for-consumers-and-citizens

Bouquets & brickbats for Google's new privacy policy

praskrishna — 2013-10-25T05:40:56Z

Google's recent privacy policy change that allows the internet search company to use names, photographs and endorsements by its users in online advertisements is getting mixed reviews in India - advertisers love it, and activists love to hate it.

This article by Indu Nandakumar was published in the Economic Times on October 18, 2013. Sunil Abraham is quoted.

Internet rights activists called it another incursion into individual privacy by the California-based company that uses 'Don't be evil' as an informal corporate motto. Brand advisers and marketers praised the ingenuity of personalisation that can make advertising much more effective.

"From a user perspective, there is a higher chance of them buying a product if it is endorsed by a friend," said Kunal Jeswani, chief digital officer at Ogilvy & Mather India. To his mind, the argument about user privacy is "naive" because when a user enters a social network, he/she should know his/her personal information, such as profile photographs and names, is already on the web.

Google announced its policy change regarding user information will be effective on November 11, giving the company the right to use profile names, photos and comments alongside advertisements by clients who use its online advertising network of over 2 million websites.

For instance, if a user has endorsed a product by giving it a "+1" or rated a product on the Google Play app store, his/her image will appear next to the ad when it is displayed to people who are part of his/her social circle on the social networking service Google Plus. The move is seen as Google's attempt to catch up with rival Facebook, which first introduced the concept of 'social ads' that let corporations use the power of influence of people within a person's social network to sell products.

Internet rights activists said such practices raise privacy concerns as they do not take prior consent of users.

"We are not comfortable with user information being used without their permission, especially since Google's privacy standards are not very high," said Uday Mehta, associate director at Consumer Unity and Trust Society (CUTS International).

Last year, the agency complained to Competition Commission of India to investigate Google's alleged anti-competitive practices here. An investigation is ongoing.

In an emailed response, Google said it is notifying users about the change in policy, so that if a user does not like it, he/she can turn it off.

"Since we're updating an existing setting, we will continue to respect the choice you made about the old setting. That means if you already told us that you didn't want your +1s to appear in ads, none of your other shared endorsements will appear in ads," a Google spokesman said.

For example, Google said, if a user reviewed a restaurant, people who aren't in his/her Google Plus Circles of friends would not see that review in an ad that the restaurant might run through Google.

The latest ad strategy comes at a time when companies such as Google and Facebook have been attempting to increase their ad revenues by personalising advertisements to attract user attention. Over 90% of Google's $46-billion revenue in 2012 came from advertisements.

Sunil Abraham, executive director of the Center for Internet and Society said the issue highlights the need for a stronger internet privacy statute in India. The absence of clear privacy laws makes it impossible for government officials to understand the harm caused to personal rights because of the default settings of Google, he observed.

For more details visit http://editors.cis-india.org/news/economic-times-october-18-2013-indu-nandakumar-bouquets-brickbats-google-new-privacy-policy

Bolstering right to remain private

praskrishna — 2012-10-29T09:00:13Z

The Justice AP Shah panel has done to well to lay down an enforceable roadmap that can strengthen privacy laws in the country. It’s now for the legislature to take the issue to a logical conclusion.

Apar Gupta's column was published in the Pioneer on October 29, 2012.

A haveli courtyard is an apt metaphor for the complexity which is involved in drafting a law on privacy. Though the courtyard gives an appearance of openness, it is limited by the walls, doors and windows which surround it. The architecture represents a mediated understanding of the options which are available to the resident in sharing and limiting information to family and strangers. A somewhat similar project is in the works with the Union Government taking steps towards the enactment of a privacy law.

Privacy law as it is understood at present is usually limited to the odd writ petition filed against the Government by a private individual seeking enforcement of a fundamental right to privacy. Recently, such adjudication has been limited to high-profile individuals, and where there is wide voyeuristic interest. For instance, two recent petitioners include industrialist Ratan Tata and former Samajwadi Party leader Amar Singh. Here, it is important to stress that with the state gathering more and more data about individuals through the Unique Identification Authority of India scheme, there is a need to democratise the right by making legal provisions for its enforcement. In making such provisions a balance has to be maintained, where information which serves public interest or gathered through informed consent is not encumbered in the name of protecting individual privacy.

To find this balance, the Government late last year tasked a Committee of Experts chaired by Justice AP Shah to prepare a report on the Privacy Bill. Readers would recall that Justice Shah had authored a judgement which read down Section 377 of the Indian Penal Code, decriminalising homosexual activity. A closer reading of the judgement shows the reliance placed by the court on the privacy right and to reach its determination. With such credentials, the Justice Shah Committee has exceeded the high expectations placed on it, presenting a fair and balanced approach towards a privacy law in India.

At the very outset the report clearly marks its objectives, from which it then commences to study judicial precedent on privacy as well as the experience of foreign jurisdictions. On the basis of this study, it has evolved nine privacy principles which encompass within it distinct aspects of individual privacy. Such a nuanced approach to privacy is certainly welcome given that privacy as a right is often subjective, varying drastically in its appreciation as per civil society, private industry and even Government itself.

Beyond the specific aspects of the privacy right, the report extends the right both to Government as well as private industry. This is a sign of the times, best put by Pranesh Prakash, policy director, Centre for Internet and Society, when he says that citizens reveal more data about themselves to social networking websites than they would to the Government under torture!

Another significant aspect is the proposed co-regulatory regime which the report suggests. And, experience has taught us that a right without an effective remedy to enforce it counts for a little more than a black letter on paper. In this respect, the report proposes a sectoral regulator which has supervision over State level privacy commissioners. In addition to this, the report also proposes a system of self-regulation where industry-specific standards may be proposed and then sanctioned by the privacy commissioners. However, contrary to the present approach of tribunalisation, the report suggests that recourse to civil courts for aggrieved persons should always be kept open.

Though the origins of the privacy rights may be antiquated, widespread consensus suggests that the modern practice and substance of privacy law owes its beginning to an article published in the fourth volume of the Harvard Law Review. The article, authored by Louis Brandeis and Samuel Warren drawing a physical justification for what seemed like a novelty back then, stated that the law regarded a man’s house as his castle.

Sadly, the right has not seen a proper development in India, mainly due to the absence of an overarching legislation as well as a lack of understanding of its proper contours. At least in this respect, the report marks a significant development in the drafting of a comprehensive privacy legislation in India. A haveli, a house or a castle — the Justice Shah panel has provided a useful blueprint to the legislature to build an effective and balanced statute to safeguard individual privacy.

(The writer is a partner in a Delhi-based law firm and visiting faculty at the National Law University, Delhi)

For more details visit http://editors.cis-india.org/news/daily-pioneer-columnists-oct-29-2012-apar-gupta-bolstering-right-to-remain-private

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

elonnai — 2012-03-21T09:35:06Z

Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.

A set of rules relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.

The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?

On May 19, 2011, through e-mail, I had the opportunity to interview Vijayashankar, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses.

I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages.

The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.

This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen.

Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.

Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?

Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.

My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.

I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.

An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, Calder vs. Jones 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.

A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits.

Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration.

For more details visit http://editors.cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy

Bit by byte protecting her privacy

Admin — 2018-07-29T01:46:38Z

The Srikrishna committee draft law on data protection is days away. Here’s a bucket list of issues that will matter

The article by Mihir Dalal and Anirban Sen was published in Livemint on July 26, 2018. Amber Sinha was quoted.

In an era dominated by “free” platforms such as Google, Facebook and Amazon, among others, data privacy had largely been considered an academic matter. However, in the past one year that notion has changed forever, bringing data privacy to the fore, as one of the defining issues of the internet, both in India and abroad.

Last August, the Supreme Court ruled that privacy was a fundamental right under the Constitution of India. Concomitantly, the debate over Aadhaar and its potential misuse picked up steam on the back of reports about data breaches in the biometric ID system though these reports were denied by the Unique Identification Authority of India, which built Aadhaar. (The apex Court will deliver its verdict on petitions that have challenged the constitutional validity of Aadhaar and its legal framework)

Globally, Facebook came under severe criticism after it was revealed that the social media giant had compromised user data in the run up to the US elections. Finally, in May, Europe introduced its landmark data privacy law, General Data Protection Regulation (GDPR), which has put users in control of their data through various measures.

The stage is now set for the much-delayed draft law on data protection, which is expected to be submitted soon by the 10-member panel headed by former Supreme Court justice B.N. Srikrishna.

The committee, which had been set up last July, has attracted criticism from some quarters. Earlier this month, more than 150 lawyers, activists and journalists, among others, wrote to the Srikrishna committee, complaining about the lack of transparency in its process, the lack of diversity in the views held by members of the committee, besides other issues. In an earlier letter in November last, activists, lawyers and others had alleged that too many members of the committee held pro-Aadhaar views. Some experts believe that the mandate of the committee was flawed to begin with. “Given that personal information is omnipresent in so many different sectors, it is better to have a light touch legislation that deals mostly with key principles of data privacy and empowers a data commissioner to frame more detailed regulations,” said Stephen Mathias, partner, Kochhar and Co.

Last week, the Telecom Regulatory Authority of India (Trai) released a set of recommendations on data privacy that favour giving users control of their data and personal information, while severely restricting the ways in which telecom and internet companies can use customer data. Here are the major issues to watch out for in the draft data protection law.

Users vs. collectors

This broad umbrella includes mandatory consent of users for data collection, data portability, the right to be forgotten and the right to erasure. Last week, Trai gave its recommendations on some of these issues in what were considered pro-privacy and progressive suggestions. Those recommendations tracked GDPR measures. The Srikrishna committee is also expected to suggest pro-privacy measures, though the details will be all-important. The committee is also expected to define what is ‘sensitive’ or ‘critical’ data. “In India, government agencies, private entities and others collect various forms of data on individuals,” said Chetan Nagendra, partner, AZB Partners. “The committee will have to clarify what category of data is allowed to be collected and whether this should this be standardized across different entities. It will also have to standardize rules on how long is it okay to store such user-collected data.”

The flip side of user rights is the role of data repositories that collect and process user data. The committee will be required to clarify what data firms and government agencies can gather on users and what will be their responsibilities toward the usage of that data. This includes the principle of privacy by design, that is, companies must ensure by default that their platforms are designed to protect rather than exploit user data and privacy.

IndusLaw partner Namita Viswanath said that in terms of data repositories, there was a need to distinguish between a data controller and a data processor. A data controller is the user-facing platform that gathers data, whereas a data processor is often a third-party firm that provides infrastructure for the platform. “Responsibilities of user personal data should be shared between a data controller and processor. The nature and extent of liability should depend on the nature of data, the party responsible for handling data and the measures adopted, but ultimately, the data controller should most responsibility,” Viswanath said.

Regulation vs. Self-control

Given that data is such a broad-ranging topic, the Srikrishna committee will be expected to recommend who should have oversight of data-related matters. Will there be a new data protection authority? If so, what will be its scope, given that regulators, such as the RBI, Sebi and Trai, will all be affected by a privacy framework in their respective areas? And what will be the punitive measures and fines for offenders on data matters?

Some experts said the government should appoint a data protection authority. As the recent travails at Facebook show, relying solely on self-regulation of internet platforms, is a disastrous policy. But it’s unlikely that the entire burden of regulation will fall on one authority.

“Logistical problems are likely, especially in the early days, with having a top-down regulatory approach,” said Kriti Trehan, partner, Panag and Babu. “The process of training, requirement of funding and access to skilled human resources will necessitate organisational and administrative inputs. With this in mind, I believe that a co-regulatory framework for data protection will be efficient. With this approach, established parameters may guide escalation in specific instances.”

Data localisation

In April, the RBI had issued norms on the storage of payments system data, which requires digital payment providers to store data in India. That has sparked another debate over the possible stance of the Srikrishna committee. Many start-ups and firms use data servers located in overseas locations because of several reasons, including economies of scale and tax planning. “Data protection should not be confused with data access,” said Kartik Maheshwari, leader, Nishith Desai Associates. “For instance, if a firm is storing user data abroad, that should be fine as long as it is secure and access in India is provided, whenever required. Storing data locally is not necessarily the best solution from the perspective of data security as better infrastructure may be available abroad. However, the government may, in exceptional cases of sensitivity, legitimately require local storage of very narrowly defined streams of data.”

Surveillance is key

The law will also need to clearly define the contours of the contentious issue of surveillance and how to ensure that India does not end up replicating the policies in place in countries such as China, which are notorious for mass surveillance practices. Surveillance that has been legally sanctioned is part of the exceptions to regular privacy practices. The committee will have to define the parameters of these exceptions. In the case of surveillance, some experts, including Amber Sinha of Centre for Internet and Society, said that while it needs to be allowed in specific instances such as issues related to national security, a judicial system needs to be in place to protect the rights of the parties that are being put under surveillance. This, in many ways, is the heart of a very important matter.

The Aadhaar factor

The most hot-button of all issues for the committee is, of course, Aadhaar. Former UIDAI chairman Nandan Nilekani told Mint this week that “if something needs to be modified in the Aadhaar law, it will be done” by the Srikrishna committee. The changes that the committee will suggest to the Aadhaar law will go a long way in determining whether its draft law is truly pro-privacy.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-july-26-2018-mihir-dalal-and-anirban-sen-byte-by-byte-protecting-her-privacy

BIS LITD 17 Privacy Panel meeting

praskrishna — 2017-07-07T01:31:35Z

Udbhav Tiwari represented CIS at this meeting organized by National Law School of India University in Bangalore on June 21, 2017.

The bare-bones structure for what as discussed at the meeting can be found in the trailing email below. The standard itself is still in the drafting stage, which makes it confidential. I will share it on this thread once it hits the public draft stage, which should happen by September 2017. (approx)

For more details visit http://editors.cis-india.org/internet-governance/news/bis-litd-17-privacy-panel-meeting