The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Comments to the proposed amendments to The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
http://editors.cis-india.org/internet-governance/blog/comments-to-proposed-amendments-to-it-intermediary-guidelines-and-digital-media-ethics-code-rules
<b>This note presents comments by the Centre for Internet and Society (CIS), India, on the proposed amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“proposed amendments”). We thank Isha Suri for her review of this submission.</b>
<h2 style="text-align: justify; ">Preliminary</h2>
<p style="text-align: justify; ">In these comments, we examine the constitutional validity of the proposed amendments, as well as whether the language of the amendments provide sufficient clarity for its intended recipients. This commentary is in-line with CIS’ previous engagement with other iterations of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.</p>
<h2 style="text-align: justify; ">General Comments</h2>
<h3 style="text-align: justify; ">Ultra vires the parent act</h3>
<p style="text-align: justify; ">Section 79(1) of the Information Technology (IT) Act states that the intermediary will not be held liable for any third-party information if the intermediary complies with the conditions laid out in Section 79(2). One of these conditions is that the intermediary observe “<i>due diligence while discharging his duties under this Act and also observe such other guidelines as the Central Government may prescribe in this behalf.</i>” Further, Section 87(2)(zg) empowers the central government to prescribe “<i>guidelines to be observed by the intermediaries under sub-section (2) of section 79.</i>”</p>
<p style="text-align: justify; ">A combined reading of Section 79(2) read with Section 89(2)(zg) makes it clear that the power of the Central Government is limited to prescribing guidelines related to the due diligence to be observed by the intermediaries while discharging its duties under the IT Act. However, the proposed amendments extend the original scope of the provisions within the IT Act.</p>
<p style="text-align: justify; ">In particular, the IT Act does not prescribe for any classification of intermediaries. Section 2(1) (w) of the Act defines intermediaries as “<i>with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes</i>”. Intermediaries are treated and regarded as a single monolithic entity with the same responsibilities and obligations.</p>
<p style="text-align: justify; ">The proposed amendments have now established a new category of intermediaries, namely online gaming intermediary. This classification comes with additional obligations, codified within Rule 4A of the proposed amendments, including enabling the verification of user-identity and setting up grievance redressal mechanisms. The additional obligations placed on online gaming intermediaries find no basis in the IT Act, which does not specify or demarcate between different categories of intermediaries.</p>
<p style="text-align: justify; ">The 2021 Rules have been prescribed under Section 87(1) and Section 87(2)(z) and (zg) of the IT Act. These provisions do not empower the Central Government to make any amendment to Section 2(w) or create any classification of intermediaries. As has been held by the Supreme Court in <i>State of Karnataka and Another v. Ganesh Kamath & Ors</i> that: “<i>It is a well settled principle of interpretation of statutes that conferment of rule making power by an Act does not enable the rule making authority to make a rule which travels beyond the scope of the enabling Act or which is inconsistent therewith or repugnant thereto.</i>” In this light, we argue that the proposed amendment cannot go beyond the parent act or prescribe policies in the absence of any law/regulation authorising them to do so.</p>
<h3 style="text-align: justify; ">Recommendation</h3>
<p style="text-align: justify; ">We recommend that a regulatory intervention seeking to classify intermediaries and prescribe regulations specific to the unique nature of specific intermediaries should happen through an amendment to the parent act. The amendment should prescribe additional responsibilities and obligations of online gaming intermediaries.</p>
<h3 style="text-align: justify; ">A note on the following sections</h3>
<p style="text-align: justify; ">Since the legality of classifying intermediaries into further categories is under question, our subsequent discussions on the language of the provisions related to online gaming intermediary are recommended to be taken into account for formulating any new legislations relating to these entities.</p>
<h2 style="text-align: justify; ">Specific comments</h2>
<h3 style="text-align: justify; ">Fact checking amendment</h3>
<p style="text-align: justify; ">Amendment to Rule 3(1)(b)(v) states that intermediaries are obligated to ask their users to not host any content that is, <i>inter alia, </i>“<i>identified as fake or false by the fact check unit at the Press Information Bureau of the Ministry of Information and Broadcasting or other agency authorised by the Central Government for fact checking</i>”.</p>
<p style="text-align: justify; ">Read together with Rule 3(1)(c), which gives intermediaries the prerogative to terminate user access to their resources on non-compliance with their rules and regulations, Rule 3(1)(b)(v) essentially affirms the intermediary’s right to remove content that the Central government deems to be ‘fake’. However, in the larger context of the intermediary liability framework of India, where intermediaries found to be not complying with the legal framework of section 79 lose their immunity, provisions such as Rule 3(1)(b)(v) compel intermediaries to actively censor content, on the apprehension of legal sanctions.</p>
<p style="text-align: justify; ">In this light, we argue that Rule 3(1)(b)(v) is constitutionally invalid, inasmuch that Article 19(2), which prescribes grounds under which the government restrict the right to free speech, does not permit restricting speech on the ground that it is ostensibly “<i>fake or false</i>”. In addition, the net effect of this rule would be that the government would be the ultimate arbiter of what is considered ‘truth’, and every contradictions to this narrative would be deemed to be false. In a democratic system like India’s, this cannot be a tenable position, and would go against a rich jurisprudence of constitutional history on the need for plurality.</p>
<p style="text-align: justify; ">For instance, in <i>Indian Express Newspapers v Union of India,</i> the Supreme Court had held that <i>‘the freedom of the press rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public.</i>’ Applying this interpretation to the present case, it could be said that the government’s monopoly on directing what constitutes “<i>fake or false</i>” in the online space would prevent citizens from accessing dissenting voices and counterpoints to government policies .</p>
<p style="text-align: justify; ">This is problematic when one considers that in the Indian context, freedom of speech and expression has always been valued for its instrumental role in ensuring a healthy democracy, and its power to influence public opinion. In the present case, the government, far from facilitating any such condition, is instead actively indulging in guardianship of the public mind (Sarkar et al, 2019).</p>
<p style="text-align: justify; ">Other provisions in the IT Act which permit for censorship of content, including section 69A, permit the government to only do so when content is relatable to grounds enumerated in Article 19(2) of the Constitution. In addition, in the case of <i>Shreya Singhal vs Union of India</i>, where, the constitutionality of section 69A was challenged, the Supreme Court upheld the provision because of the legal safeguards inherent in the provision, including offering a hearing to the originator of the impugned content and reasons for censoring content to be recorded in writing.</p>
<p style="text-align: justify; ">In contrast, a fact check by the Press Information Bureau or by another authorised agency provides no such safeguards, and does not relate to any constitutionally recognized ground for restricting speech.</p>
<h3 style="text-align: justify; ">Recommendation</h3>
<p style="text-align: justify; ">The proposed amendment to Rule 3(1)(b)(v) is unconstitutional, and should be removed from the final draft of the law.</p>
<h2 style="text-align: justify; ">Clarifications are needed for online games rules definitions</h2>
<p style="text-align: justify; ">The definitions of an "online game" and "online gaming intermediary" are currently extremely unclear and require further clarification.</p>
<p style="text-align: justify; ">As the proposed amendments stand, online games are characterised by the user's “<i>deposit with the expectation of earning winnings</i>”. Both deposit and winnings can be “<i>cash</i>” or “<i>in kind</i>", which does not adequately draw a boundary on the type of games this amendment seeks to cover. Can the time invested by the player in playing a game be answered under the “in kind” definition of deposit? If the game provides a virtual in-game currency that can be exchanged for internal power ups, even if there are no cash or gift cards used as payout, is that considered to be an “in kind” winnings? The rules, as currently drafted, are vague in their reference towards “in kind” deposits and payouts.</p>
<p style="text-align: justify; ">This definition of online games also does not differentiate between single or multiplayer games, and traditional games like chess which have found an audience online such as Candy Crush (single player), Minecraft (multiplayer collaborative) or chess (traditional). It is unclear whether these games were intended to fall within the purview of these amendments to the rules, and if they are all subjected to the same due diligence requirements as pay-to-play games. This, in conjunction with the proposed rule 6A which allows the Ministry to term any other game as an online game for the purposes of the rules, also provides them with broad, unpredictable powers . This ambiguity hinders clear comprehension of the expectations among the target stakeholders, thus affecting the consistency and predictability of the implementation of the rules.</p>
<p style="text-align: justify; ">Similarly, "online gaming intermediaries" are also defined very broadly as "<i>intermediary that offers one or more than one online game</i>". As defined, any intermediary that even hosts a link to a game is classified as an online gaming intermediary since the game is now "offered" through the intermediary. As drafted, there does not seem to be a material distinction between an "intermediary" as defined by the act and "online gaming intermediary" as specified by these rules.</p>
<h3 style="text-align: justify; ">Recommendation</h3>
<p style="text-align: justify; ">We recommend further clarification on the definitions of these terms, especially for “in kind” and “offers” which are currently extremely vague terms that provide overbroad powers to the Ministry.</p>
<h2 style="text-align: justify; ">Intermediaries and Games</h2>
<p style="text-align: justify; ">"Online gaming intermediaries" are defined very broadly as "<i>intermediary that offers one or more than one online game</i>". Intermediaries are defined in the Act as "<i>any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message</i>".</p>
<p style="text-align: justify; ">According to the media coverage (Barik, 2023) around these amendments, it seems that there is an effort to classify gaming companies as "online gaming intermediaries" but the language of the drafted amendments do not support this. An “intermediary” status is given to a company due to its functional role in primarily offering third party content. It is not a classification for different types of internet companies that exist and thus must not be used to make rules for entities that do not perform this function.</p>
<p style="text-align: justify; ">Not all gaming companies present a collection of games for their users to play. According to the drafted definition multiple platforms where games might be present like, an app stores where multiple game developers can publish their games for access by users, a website that lists links to online games, a social media platform that acts as an intermediary between two users exchanging links to games, as well as websites that host games for users to directly access may all be classified as an "online gaming intermediary" since they "offer" games to users. These are a rather broad range of companies and functions to be singularly classified an "online gaming intermediary".</p>
<h3 style="text-align: justify; ">Recommendation</h3>
<p style="text-align: justify; ">We recommend a thoroughly researched legislative solution to regulating gaming companies that operate online rather than through amendments to intermediary rules. If some companies are indeed to be classified as “online gaming intermediaries”, there is a need for further reasoning on which type of gaming companies and their functions are intermediary functions for the purposes of these Rules.</p>
<hr />
<p>Comments can be <b><a href="http://editors.cis-india.org/internet-governance/it-rules-amendment" class="internal-link">downloaded here</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-to-proposed-amendments-to-it-intermediary-guidelines-and-digital-media-ethics-code-rules'>http://editors.cis-india.org/internet-governance/blog/comments-to-proposed-amendments-to-it-intermediary-guidelines-and-digital-media-ethics-code-rules</a>
</p>
No publisherDivyansha Sehgal and Torsha SarkarDigital MediaInternet GovernanceInformation TechnologyIT Act2023-02-07T15:21:47ZBlog EntryNHA Data Sharing Guidelines – Yet Another Policy in the Absence of a Data Protection Act
http://editors.cis-india.org/internet-governance/blog/nha-data-sharing-guidelines
<b>In July this year, the National Health Authority (NHA) released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) just two months after publishing the draft Health Data Management Policy.</b>
<p>Reviewed and edited by Anubha Sinha</p>
<hr />
<p style="text-align: justify; ">Launched in 2018, PM-JAY is a public health insurance scheme set to cover 10 crore poor and vulnerable families across the country for secondary and tertiary care hospitalisation. Eligible candidates can use the scheme to avail of cashless benefits at any public/private hospital falling under this scheme. Considering the scale and sensitivity of the data, the creation of a well-thought-out data-sharing document is a much-needed step. However, the document – though only a draft – has certain portions that need to be reconsidered, including parts that are not aligned with other healthcare policy documents. In addition, the guidelines should be able to work in tandem with the Personal Data Protection Act whenever it comes into force. With no prior intimation of the publication of the guidelines, and the provision of a mere 10 days for consultation, there was very little scope for stakeholders to submit their comments and participate in the consultation. While the guidelines pertain to the PM-JAY scheme, it is an important document to understand the government’s concerns and stance on the sharing of health data, especially by insurance companies.</p>
<h3 style="text-align: justify; ">Definitions: Ambiguous and incompatible with similar policy documents</h3>
<p style="text-align: justify; ">The draft guidelines add to the list of health data–related policies that have been published since the beginning of the pandemic. These include three draft health data management policies published within two years, which have already covered the sharing and management of health data. The draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; in this case, the guidelines fail to refer to the draft National Digital Health Data Management Policy (published in April 2022). To add to this, the document – by placing the definitions at the end – is difficult to read and understand, especially when terms such as ‘beneficiary’, ‘data principal’, and ‘individual’ are used interchangeably. In the same vein, the document uses the terms ‘data principal’ and ‘data fiduciary’, and the definitions of health data and personal data, from the 2019 PDP Bill, while also referring to the IT Act SDPI Rules and its definition of ‘sensitive personal data’. While the guidelines state that the IT Act and Rules will be the legislation to refer to for these guidelines, it is to be noted that the IT Act under the SPDI Rules covers ‘body corporates’, which under Section 43A(1), is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”. It is difficult to add responsibility and accountability to the organisations under the guidelines when they might not even be covered under this definition.</p>
<p style="text-align: justify; ">With each new policy, civil society organisations have been pointing out the need to have a data protection act before introducing policies and guidelines that deal with the processing and sharing of the data of individuals. Ideally, these policies – even in draft form – should have been published after the Personal Data Protection Bill was enacted, to ensure consistency with the provisions of the law. For example, the guidelines introduce a new category of governance mechanisms under the data-sharing committee headed by a data-sharing officer (DSO). The responsibilities and powers of the DSO are similar to that of the data protection officer under the draft PDP Bill as well as the National Data Health Management Policy (NHDMP). This, in turn, raises the question of whether the DSO and the DPOs under both the PDP Bill and the draft NDMP will have the same responsibilities. Clarity in terms of which of the policies are in force and how they intersect is needed to ensure a smooth implementation. Ideally, having multiple sources of definitions should be addressed at the drafting stage itself.</p>
<h3 style="text-align: justify; ">Guiding Principles: Need to look beyond privacy</h3>
<p style="text-align: justify; ">The guidelines enumerate certain principles to govern the use, collection, processing, and transmission of the personal or sensitive personal data of beneficiaries. These principles are accountability, privacy by design, choice and consent, openness/transparency, etc. While these provisions are much needed, their explanation at times misses the mark of why these principles were added. For example, in the case of accountability, the guidelines state that the ‘data fiduciary’ shall be accountable for complying with measures based on the guiding principles However, it does not specify who the fiduciaries would be accountable to and what the steps are to ensure accountability. Similarly, in the case of openness and transparency, the guidelines state that the policies and practices relating to the management of personal data will be available to all stakeholders. However, openness and transparency need to go beyond policies and practices and should consider other aspects of openness, including open data and the use of open-source software and open standards. This again will add to transparency, in that it would specify the rights of the data principal, as the current draft looks at the rights of the data principal merely from a privacy perspective. In the case of purpose limitation as well, the guidelines are tied to the privacy notice, which again puts the burden on the individual (in this case, beneficiary) when the onus should actually be on the data fiduciary. Lastly, under the empowerment of beneficiaries, the guidelines state that the “data principal shall be able to seek correction, amendments, or deletion of such data where it is inaccurate;”. The right to deletion should not be conditional on inaccuracy, especially when entering the scheme is optional and consent-based.</p>
<h3 style="text-align: justify; ">Data sharing with third parties without adequate safeguards</h3>
<p style="text-align: justify; ">The guidelines outline certain cases where personal data can be collected, used, or disclosed without the consent of the individual. One of these cases is when the data is anonymised. However, the guidelines do not detail how this anonymisation would be achieved and ensured through the life cycle of the data, especially when the clause states that the data will also be collected without consent. The guidelines also state that the anonymised data could be used for public health management, clinical research, or academic research. The guidelines should have limited the scope of academic research or added certain criteria to gain access to the data; the use of vague terminology could lead to this data (sometimes collected without consent) being de-anonymised or used for studies that could cause harm to the data principal or even a particular community. The guidelines state that the data can be shared as ‘protected health information’ with a government agency for oversight activities authorised by law, epidemic control, or in response to court orders. With the sharing of data, care should be taken to ensure data minimisation and purpose limitations that go beyond the explanations added in the body of the guidelines. In addition, the guidelines also introduce the concept of a ‘clean room’, which is defined as “a secure sandboxed area with access controls, where aggregated and anonymised or de-identified data may be shared for the purposes of developing inference or training models”. The definition does not state who will be developing these training models; it could be a cause of worry if AI companies or even insurance companies have the potential to use this data to train models that could eventually make decisions based on the results. The term ‘sandbox’ is explained under the now revoked DP Bill 2021 as “such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a<br />specified period for the limited purpose of the testing”. Neither the 2019 Bill nor the IT Act/Rules defines ‘sandbox’; the guidelines should have ideally spent more time explaining how the sandbox system in the ‘Clean Room’ works.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">The draft Data Sharing Guidelines are a welcome step in ensuring that the entities sharing and processing data have guidelines to adhere to, especially since the Data Protection Bill has not been passed yet. The mention of the best practices for data sharing in annexures, including practices for people who have access to the data, is a step in the right direction, which could be made better with regular training and sensitisation. While the guidelines are a good starting point, they still suffer from the issues that have been highlighted in similar health data policies, including not referring to older policies, adding new entities, and the reliance on digital and mobile technology. The guidelines could have added more nuance to the consent and privacy by design sections to ensure other forms of notice, e.g., notice in audio form in different Indian languages. While PM-JAY aims to reach 10 crore poor and vulnerable families, there is a need to look at how to ensure that consent is given according to the guidelines that are “free, informed, clear, and specific”.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/nha-data-sharing-guidelines'>http://editors.cis-india.org/internet-governance/blog/nha-data-sharing-guidelines</a>
</p>
No publisherShweta Mohandas and Pallavi BediIT ActInternet GovernanceData ProtectionPrivacy2022-09-29T15:17:24ZBlog EntryNew intermediary guidelines: The good and the bad
http://editors.cis-india.org/internet-governance/blog/new-intermediary-guidelines-the-good-and-the-bad
<b>In pursuance of the government releasing the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, this blogpost offers a quick rundown of some of the changes brought about the Rules, and how they line up with existing principles of best practices in content moderation, among others. </b>
<p> </p>
<p>This article originally appeared in the Down to Earth <a class="external-link" href="https://www.downtoearth.org.in/blog/governance/new-intermediary-guidelines-the-good-and-the-bad-75693">magazine</a>. Reposted with permission.</p>
<p>-------</p>
<p>The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The operation of these rules would be in supersession of the existing intermediary liability rules under the Information Technology (IT) Act, made back in 2011.</p>
<p>These IL rules would have a significant impact on our relationships with internet ‘intermediaries’, i.e. gatekeepers and getaways to the internet, including social media platforms, communication and messaging channels.</p>
<p>The rules also make a bid to include entities that have not traditionally been considered ‘intermediaries’ within the law, including curated-content platforms such as Netflix and Amazon Prime as well as digital news publications.</p>
<p>These rules are a significant step-up from the draft version of the amendments floated by the Union government two years ago; in this period, the relationship between the government around the world and major intermediaries changed significantly. </p>
<p>The insistence of these entities in the past, that they are not ‘arbiters of truth’, for instance, has not always held water in their own decision-makings.</p>
<p>Both Twitter and Facebook, for instance, have locked the former United States president Donald Trump out of their platforms. Twitter has also resisted to fully comply with government censorship requests in India, spilling into an interesting policy tussle between the two entities. It is in the context of these changes, therefore, that we must we consider the new rules.</p>
<p><strong>What changed for the good?</strong></p>
<p>One of the immediate standouts of these rules is in the more granular way in which it aims to approach the problem of intermediary regulation. The previous draft — and in general the entirety of the law — had continued to treat ‘intermediaries’ as a monolithic entity, entirely definable by section 2(w) of the IT Act, which in turn derived much of its legal language from the EU E-commerce Directive of 2000.</p>
<p>Intermediaries in the directive were treated more like ‘simple conduits’ or dumb, passive carriers who did not play any active role in the content. While that might have been the truth of the internet when these laws and rules were first enacted, the internet today looks much different.</p>
<p>Not only is there a diversification of services offered by these intermediaries, there’s also a significant issue of scale, wielded by a few select players, either by centralisation or by the sheer number of user bases. A broad, general mandate would, therefore, miss out on many of these nuances, leading to imperfect regulatory outcomes.</p>
<p>The new rules, therefore, envisage three types of entities:</p>
<ul><li>There are the ‘intermediaries’ within the traditional, section 2(w) meaning of the IT Act. This would be the broad umbrella term for all entities that would fall within the ambit of the rules.</li><li>There are the ‘social media intermediaries’ (SMI), as entities, which enable online interaction between two or more users.</li><li>The rules identify ‘significant social media intermediaries’ (SSMI), which would mean entities with user-thresholds as notified by the Central Government.</li></ul>
<p>The levels of obligations vary based on these hierarchies of classification. For instance, an SSMI would be obligated with a much higher standard of transparency and accountability towards their users. They would have to fulfill by publishing six-monthly transparency reports, where they have to outline how they dealt with requests for content removal, how they deployed automated tools to filter content, and so on.</p>
<p>I have previously argued how transparency reports, when done well, are an excellent way of understanding the breadth of government and social media censorships. Legally mandating this is then perhaps a step in the right direction.</p>
<p>Some other requirements under this transparency principle include giving notice to users whose content has been disabled, allowing them to contest such removal, etc.</p>
<p>One of the other rules from the older draft that had raised a significant amount of concern was the proactive filtering mandate, where intermediaries were liable to basically filter for all unlawful content. This was problematic on two counts:</p>
<ul><li>Developments in machine learning technologies are simply not up there to make this a possibility, which would mean that there would always be a chance that legitimate and legal content would get censored, leading to general chilling effect on digital expression</li><li>The technical and financial burden this would impose on intermediaries would have impacted the competition in the market.</li></ul>
<p>The new rules seemed to have lessened this burden, by first, reducing it from being mandatory to being best endeavour-basis; and second, by reducing the ambit of ‘unlawful content’ to only include content depicting sexual abuse, child sexual abuse imagery (CSAM) and duplicating to already disabled / removed content.</p>
<p>This specificity would be useful for better deployment of such technologies, since previous research has shown that it’s considerably easier to train a machine learning tool on corpus of CSAM or abuse, rather than on more contextual, subjective matters such as hate speech.</p>
<p><strong>What should go?</strong></p>
<p>That being said, it is concerning that the new rules choose to bring online curated content platforms (OCCPs) within the ambit of the law by proposals of a three-tiered self-regulatory body and schedules outlining guidelines about the rating system these entities should deploy.</p>
<p>In the last two years, several attempts have been made by the Internet and Mobile Association of India (IAMAI), an industry body consisting of representatives of these OCCPs, to bring about a self-regulatory code that fills in the supposed regulatory gap in the Indian law.</p>
<p>It is not known if these stakeholders were consulted before the enactment of these provisions. Some of this framework would also apply to publishers of digital news portals.</p>
<p>Noticeably, this entire chapter was also missing from the old draft, and introducing it in the final form of the law without due public consultations is problematic.</p>
<p>Part III and onwards of the rules, which broadly deal with the regulation of these entities, therefore, should be put on hold and opened up for a period of public and stakeholder consultations to adhere to the true spirit of democratic participation.</p>
<p><em>The author would like to thank Gurshabad Grover for his editorial suggestions. </em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/new-intermediary-guidelines-the-good-and-the-bad'>http://editors.cis-india.org/internet-governance/blog/new-intermediary-guidelines-the-good-and-the-bad</a>
</p>
No publisherTorSharkIT ActIntermediary LiabilityInternet GovernanceCensorshipArtificial Intelligence2021-03-15T13:52:46ZBlog EntryResponse to the Pegasus Questionnaire issued by the SC Technical Committee
http://editors.cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee
<b>On March 25, 2022, the Supreme Court appointed Technical Committee constituted to examine the allegations of alleged unauthorised surveillance using the Pegasus software released a questionnaire seeking responses and comments from the general public.</b>
<p style="text-align: justify; ">The questionnaire had 11 questions and the responses had to be submitted through an online form- which was available <a class="external-link" href="https://pegasus-india-investigation.in/invitation-to-comment/-">here</a>. The last date for submitting the response was March 31, 2022. CIS had submitted the following responses to the questions in the questionnaire. Access the <b><a href="http://editors.cis-india.org/internet-governance/response-to-the-pegasus-investigation" class="internal-link">Response to the Questionnaire</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee'>http://editors.cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee</a>
</p>
No publisherAnamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi BediIT ActSurveillanceInternet GovernancePrivacy2022-04-13T14:45:41ZBlog EntryTo preserve freedoms online, amend the IT Act
http://editors.cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act
<b>Look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.</b>
<p style="text-align: justify; ">The article by Gurshabad Grover was published in the <a class="external-link" href="https://www.hindustantimes.com/analysis/to-preserve-freedoms-online-amend-the-it-act/story-aC0jXUId4gpydJyuoBcJdI.html">Hindustan Times</a> on April 16, 2019.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The issue of blocking of websites and online services in India has gained much deserved traction after internet users reported that popular services like Reddit and Telegram were inaccessible on certain Internet Service Providers (ISPs). The befuddlement of users calls for a look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.</p>
<p style="text-align: justify; ">Among other things, Section 69A of the Information Technology (IT) Act, which regulates takedown and blocking of online content, allows both government departments and courts to issue directions to ISPs to block websites. Since court orders are in the public domain, it is possible to know this set of blocked websites and URLs. However, the process is much more opaque when it comes to government orders.</p>
<p style="text-align: justify; ">The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, issued under the Act, detail a process entirely driven through decisions made by executive-appointed officers. Although some scrutiny of such orders is required normally, it can be waived in cases of emergencies. The process does not require judicial sanction, and does not present an opportunity of a fair hearing to the website owner. Notably, the rules also mandate ISPs to maintain all such government requests as confidential, thus making the process and complete list of blocked websites unavailable to the general public.</p>
<p style="text-align: justify; ">In the absence of transparency, we have to rely on a mix of user reports and media reports that carry leaked government documents to get a glimpse into what websites the government is blocking. Civil society efforts to get the entire list of blocked websites have repeatedly failed. In response to the Right to Information (RTI) request filed by the Software Freedom Law Centre India in August 2017, the Ministry of Electronics and IT refused to provide the entire of list of blocked websites citing national security and public order, but only revealed the number of blocked websites: 11,422.</p>
<p style="text-align: justify; ">Unsurprisingly, ISPs do not share this information because of the confidentiality provision in the rules. A 2017 study by the Centre for Internet and Society (CIS) found all five ISPs surveyed refused to share information about website blocking requests. In July 2018, the Bharat Sanchar Nagam Limited rejected the RTI request by CIS which asked for the list of blocked websites.</p>
<p style="text-align: justify; ">The lack of transparency, clear guidelines, and a monitoring mechanism means that there are various forms of arbitrary behaviour by ISPs. First and most importantly, there is no way to ascertain whether a website block has legal backing through a government order because of the aforementioned confidentiality clause. Second, the rules define no technical method for the ISPs to follow to block the website. This results in some ISPs suppressing Domain Name System queries (which translate human-parseable addresses like ‘example.com’ to their network address, ‘93.184.216.34’), or using the Hypertext Transfer Protocol (HTTP) headers to block requests. Third, as has been made clear with recent user reports, users in different regions and telecom circles, but serviced by the same ISP, may be facing a different list of blocked websites. Fourth, when blocking orders are rescinded, there is no way to make sure that ISPs have unblocked the websites. These factors mean that two Indians can have wildly different experiences with online censorship.</p>
<p style="text-align: justify; ">Organisations like the Internet Freedom Foundation have also been pointing out how, if ISPs block websites in a non-transparent way (for example, when there is no information page mentioning a government order presented to users when they attempt to access a blocked website), it constitutes a violation of the net neutrality rules that ISPs are bound to since July 2018.</p>
<p style="text-align: justify; ">While the Supreme Court upheld the legality of the rules in 2015 in Shreya Singhal vs. Union of India, recent events highlight how the opaque processes can have arbitrary and unfair outcomes for users and website owners. The right to access to information and freedom of expression are essential to a liberal democratic order. To preserve these freedoms online, there is a need to amend the rules under the IT Act to replace the current regime with a transparent and fair process that makes the government accountable for its decisions that aim to censor speech on the internet.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act'>http://editors.cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act</a>
</p>
No publishergurshabadFreedom of Speech and ExpressionIT ActInternet GovernanceInternet Freedom2019-04-16T10:09:41ZBlog EntryIs the new ‘interception’ order old wine in a new bottle?
http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle
<b>The government could always authorise intelligence agencies to intercept and monitor communications, but the lack of clarity is problematic.</b>
<p style="text-align: justify; ">An opinion piece co-authored by Elonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. Bidare was published in <a class="external-link" href="https://www.newslaundry.com/2018/12/27/is-the-new-interception-order-old-wine-in-a-new-bottle">Newslaundry.com</a> on December 27, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">On December 20, 2018, through an <a href="http://egazette.nic.in/WriteReadData/2018/194066.pdf" target="_blank">order</a> issued by the Ministry of Home Affairs (MHA), 10 security agencies—including the Intelligence Bureau, the Central Bureau of Investigation, the Enforcement Directorate and the National Investigation Agency—were listed as the intelligence agencies in India with the power to intercept, monitor and decrypt "any information" generated, transmitted, received, or stored in any computer under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.</p>
<p style="text-align: justify; ">On December 21, the Press Information Bureau published a <a href="http://www.pib.nic.in/PressReleseDetail.aspx?utm_campaign=fullarticle&utm_medium=referral&PRID=1556945" target="_blank">press release</a> providing clarifications to the previous day’s order. It said the notification served to merely reaffirm the existing powers delegated to the 10 agencies and that no new powers were conferred on them. Additionally, the release also stated that “adequate safeguards” in the IT Act and in the Telegraph Act to regulate these agencies’ powers.</p>
<p style="text-align: justify; ">Presumably, these safeguards refer to the Review Committee constituted to review orders of interception and the prior approval needed by the Competent Authority—in this case, the secretary in the Ministry of Home Affairs in the case of the Central government and the secretary in charge of the Home Department in the case of the State government.</p>
<p style="text-align: justify; ">As noted in the press release, the government has always had the power to authorise intelligence agencies to submit requests to carry out the interception, decryption, and monitoring of communications, under Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, framed under section 69(1) of the IT Act.</p>
<p style="text-align: justify; ">When considering the implications of this notification, it is important to look at it in the larger framework of India’s surveillance regime, which is made up of a set of provisions found across multiple laws and operating licenses with differing standards and surveillance capabilities.</p>
<p style="text-align: justify; ">- Section 5(2) of the Indian Telegraph Act, 1885 allows the government (or an empowered authority) to intercept or detain transmitted information on the grounds of a public emergency, or in the interest of public safety if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. This is supplemented by Rule 419A of the Indian Telegraph Rules, 1951, which gives further directions for the interception of these messages.</p>
<p style="text-align: justify; ">- Condition 42 of the <a href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf" target="_blank">Unified Licence for Access Services</a>, mandates that every telecom service provider must facilitate the application of the Indian Telegraph Act. Condition 42.2 specifically mandates that the license holders must comply with Section 5 of the same Act.</p>
<p style="text-align: justify; ">- Section 69(1) of the Information Technology Act and associated Rules allows for the interception, monitoring, and decryption of information stored or transmitted through any computer resource if it is found to be necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.</p>
<p style="text-align: justify; ">- Section 69B of the Information Technology Act and associated Rules empowers the Centre to authorise any agency of the government to monitor and collect traffic data “to enhance cyber security, and for identification, analysis, and prevention of intrusion, or spread of computer contaminant in the country”.</p>
<p style="text-align: justify; ">- Section 92 of the CrPc allows for a Magistrate or Court to order access to call record details.</p>
<p style="text-align: justify; ">Notably, a key difference between the IT Act and the Telegraph Act in the context of interception is that the Telegraph Act permits interception for preventing incitement to the commission of an offence on the condition of public emergency or in the interest of public safety while the IT Act permits interception, monitoring, and decryption of any cognizable offence relating to above or for investigation of any offence. Technically, this difference in surveillance capabilities and grounds for interception could mean that different intelligence agencies would be authorized to carry out respective surveillance capabilities under each statute. Though the Telegraph Act and the associated Rule 419A do not contain an equivalent to Rule 4—<a href="https://mha.gov.in/MHA1/Par2017/pdfs/par2013-pdfs/ls-110214/294.pdf" target="_blank">nine Central Government agencies and one State Government agency</a> have previously been authorized under the Act. The Central Government agencies authorised under the Telegraph Act are the same as the ones mentioned in the December 20 notification with the following differences:</p>
<p style="text-align: justify; ">- Under the Telegraph Act, the Research and Analysis Wing (RAW) has the authority to intercept. However, the 2018 notification more specifically empowers the Cabinet Secretariat of RAW to issue requests for interception under the IT Act.</p>
<p style="text-align: justify; ">- Under the Telegraph Act, the Director General of Police, of concerned state/Commissioner of Police, Delhi for Delhi Metro City Service Area, has the authority to intercept. However, the 2018 notification specifically authorises the Commissioner of Police, New Delhi with the power to issue requests for interception.</p>
<p style="text-align: justify; ">That said, the<a href="https://cis-india.org/internet-governance/resources/it-procedure-and-safeguard-for-monitoring-and-collecting-traffic-data-or-information-rules-2009" target="_blank"> IT (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 </a>under 69B of the IT Act contain a provision similar to Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 - allowing the government to authorize agencies that can monitor and collect traffic data. In 2016, the Central Government <a href="http://meity.gov.in/writereaddata/files/69B%20Notification%20-April%202016.pdf" target="_blank">authorised</a> the Indian Computer Emergency Response Team to monitor and collect traffic data, or information generated, transmitted, received, or stored in any computer resource. This was an exercise of the power conferred upon the Central Government by Section 69B(1) of the IT Act. However, this notification does not reference Rule 4 of the IT Rules, thus it is unclear if a similar notification has been issued under Rule 4.</p>
<p style="text-align: justify; ">While it is accurate that the order does not confer new powers, areas of concern that existed with India’s surveillance regime continue to remain including the question of whether 69(1) and 69B and associated Rules are <a href="https://thewire.in/government/narendra-modi-snooping-it-act-home-ministry" target="_blank">constitutionally</a> valid, the lack of t<a href="https://cis-india.org/internet-governance/blog/transparency-in-surveillance" target="_blank">ransparency</a> by the government and the prohibition of transparency by service providers, <a href="https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations" target="_blank">heavy handed </a>penalties on service providers for non-compliance, and a lack of legal backing and <a href="https://cis-india.org/internet-governance/blog/policy-brief-oversight-mechanisms-for-surveillance" target="_blank">oversight</a> mechanisms for intelligence agencies. Some of these could be addressed if the draft Data Protection Bill 2018 is enacted and the Puttaswamy Judgement fully implemented.</p>
<p style="text-align: justify; "><b>Conclusion</b></p>
<p style="text-align: justify; ">The MHA’s order and the press release thereafter have served to publicise and provide needed clarity with respect to the powers vested in which intelligence agencies in India under section 69(1) of the IT Act. This was previously unclear and could have posed a challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under section 69(1) .</p>
<p style="text-align: justify; ">The publishing of the list has subsequently served to raise questions and create a debate about key issues concerning privacy, surveillance and state overreach. On <a href="https://barandbench.com/ministry-of-home-affairs-surveillance-order-challenged-in-supreme-court/" target="_blank">December 24</a>, the order was challenged by advocate ML Sharma on the grounds of it being illegal, unconstitutional and contrary to public interest. Sharma in his contention also stated the need for the order to be tested on the basis of the right to privacy established by the Supreme Court in Puttaswamy which laid out the test of necessity, legality, and proportionality. According to this test, any law that encroaches upon the privacy of the individual will have to be justified in the context of the right to life under Article 21.</p>
<p style="text-align: justify; ">But there are also other questions that exist. India has multiple laws enabling its surveillance regime and though this notification clarifies which intelligence agencies can intercept under the IT Act, it is still seemingly unclear which intelligence agencies can monitor and collect traffic data under the 69B Rules. It is also unclear what this order means for past interceptions that have taken place by agencies on this list or agencies outside of this list under section 69(1) and associated Rules of the IT Act. Will these past interceptions possess the same evidentiary value as interceptions made by the authorised agencies in the order?</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle'>http://editors.cis-india.org/internet-governance/blog/newslaundry-elonnai-hickok-vipul-kharbanda-shweta-mohandas-and-pranav-bidare-december-27-2018-is-the-new-interception-order-old-wine-in-a-new-bottle</a>
</p>
No publisherElonnai Hickok, Vipul Kharbanda, Shweta Mohandas and Pranav M. BidareIT ActPrivacyInternet GovernanceCyber SecurityInformation Technology2018-12-29T16:02:00ZBlog EntryThe thrill of saving India from cybercrime
http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime
<b>Geeks seize the chance to help the government, defence forces and banks draw up fences against tech crimes.</b>
<p class="body" style="text-align: justify; ">The <a class="external-link" href="http://www.thehindu.com/business/Industry/the-thrill-of-saving-india-from-cybercrime/article9367640.ece">article by Peerzada Abrar was published in the Hindu </a>on November 20, 2016.</p>
<hr />
<p class="body" style="text-align: justify; ">Saket Modi loves long flights. The 26-year-old hacker likes to do most of his reasoning while criss-crossing the world. It was on one such flight from the United States to India that the co-founder of cybersecurity start-up Lucideus Tech read about India's largest data security breaches. While surfing the in-flight Internet he came to know that the security of about 3.2 million debit cards had been compromised.</p>
<p class="body" style="text-align: justify; ">“I was not surprised but I started thinking about how it would have happened. What was the ‘exploit’ used, how long was it there,” said Mr. Modi. Soon after reaching New Delhi, he received multiple requests from several banks and organisations to protect them from the hacking incident, which is just one of the thousands of cybercrimes that the country is facing.</p>
<p class="body" style="text-align: justify; ">In India, there has been a surge of approximately 350 per cent of cybercrime cases registered under the Information Technology (IT) Act, 2000 from the year of 2011 to 2014, according to a joint study by The Associated Chambers of Commerce and Industry of India and consulting firm PricewaterhouseCoopers. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015, noted the Assocham-PwC joint study.</p>
<p style="text-align: justify; "><b>Ethical hackers</b></p>
<p class="body" style="text-align: justify; ">Mr. Modi is among a new breed of ethical hackers-turned-entrepreneurs who are betting big on this opportunity. An ethical hacker is a computer expert who hacks into a computer network on the behalf of its owner in order to test or evaluate its security, rather than with malicious or criminal intent.</p>
<p class="body" style="text-align: justify; ">“You cannot live in a world where you think that you can't be hacked. It doesn’t matter who you are,” said Mr. Modi who cofounded Lucideus four years ago. The company clocked revenues of Rs.4 crore in the last fiscal. This compares with the Rs.2.5 lakh revenues in the first year. The New Delhi-based firm now counts Reserve Bank of India, Ministry of Defence and Standard Chartered among its top clients.</p>
<p class="body" style="text-align: justify; ">Mr. Modi, who is also a pianist, discovered his skills for hacking into secure computer systems while preparing for his board exams. He hacked into his school computer and stole the chemistry question paper, after realising that he would not be able to clear the test conducted by his school. However, a guilty conscience compelled him to confess to his teacher who permitted him to still take the test. The incident transformed him to use his skills to protect and not misuse them. This year, Lucideus was hired by National Payments Corporation of India (NPCI) along with other information security specialists to protect its most ambitious project, the Unified Payment Interface (UPI) platform, from cyber attacks. UPI aims to bring digital banking to 1.2 billion people in the country. Lucideus has a team of 70 people mostly fresh college graduates who do hacking with authorisation.</p>
<p class="body" style="text-align: justify; ">“The reason behind choosing Lucideus was their young, energetic and knowledgeable team," said Bhavesh Lakhani, chief technology officer of DSP BlackRock, one of the premier asset management companies. Mr. Lakhani said that India is currently the epicentre of financial and technological advancements which make it a probable target of cyber-attacks.</p>
<p style="text-align: justify; "><b>Hacking lifeline</b></p>
<p class="body" style="text-align: justify; ">Indeed, a new breed of cyber criminals has emerged, whose main aim is not just financial gains but also cause disruption and chaos to businesses in particular and the nation at large, according to the Assocham-PwC study. Attackers can gain control of vital systems such as nuclear plants, railways, transportation and hospitals. This can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.</p>
<p class="body" style="text-align: justify; ">“The hacker doesn’t care whether he is attacking an Indian or a U.S. company. It is bread and butter for him and he wants to eat it wherever he gets it from,” said Trishneet Arora, a 22-year-old ethical hacker. In an office tucked away in Mohali, a commercial hub lying adjacent to the city of Chandigarh in Punjab, Mr.Arora fights these cyberattacks on a daily basis to protect his clients. His start-up TAC Security provides an emergency service to customers who have been hacked or are anticipating a cyberattack. It alerted a hospital in the U.S. after detecting vulnerabilities in their computer network.</p>
<p class="body" style="text-align: justify; ">Mr.Arora said that the hackers could have easily shut down the intensive care unit which was connected to it and remotely killed the patients. TAC said the data server of a bank in the UAE containing critical information got hacked recently. The bank also lost access to the server. TAC said that it not only helped the organisation to get back access to the server but also traced the hacker’s identity.</p>
<p class="body" style="text-align: justify; ">A school drop out, Mr.Arora founded TAC three years ago. But he initially found it tough to convince enterprises about his special skills. “I was a backbencher in the classroom and not good in studies, but I loved playing video games and hacking,” he said. He conducted workshops on hacking and provided his expertise to law enforcement agencies such as the Central Bureau of Investigation and various State police departments. His firm now provides its services to customers such as Reliance Industries, dairy brand Amul and tractor manufacturer Sonalika.</p>
<p class="body" style="text-align: justify; ">“We were surprised by their expertise,” said R.S. Sodhi, managing director of Amul. “We wanted to be sure that the company’s vital IT infrastructure is in the right hands – the big question was, ‘Who can that be?’ In TAC, we found that team.”</p>
<p class="body" style="text-align: justify; ">TAC expects to cross revenues of $5 million (Rs.33 crore) and employ about 100 ethical hackers by next year.</p>
<p style="text-align: justify; "><b>Budget woes</b></p>
<p class="body" style="text-align: justify; ">Security watchers such as Sunil Abraham, executive director of Bengaluru-based think tank Centre for Internet and Society said that India’s cybersecurity budget is woefully inadequate when compared to the spending by other countries. In 2014-15, the government doubled its cybersecurity budget by earmarking Rs.116 crore. “We require a budget of $1 billion per annum or every two years to build the cybersecurity infrastructure. The current cyber security policy has no such budget,” said Mr. Abraham.</p>
<p class="body" style="text-align: justify; ">According to Data Security Council of India (DSCI), India's cybersecurity market is expected to grow nine-fold to $35 billion by 2025, from about $4 billion. This would mainly be driven by an ecosystem to promote the growth of indigenous security product and services start-up companies.</p>
<p class="body" style="text-align: justify; ">The Cyber Security Task Force (CSTF) set up by DSCI and industry body Nasscom expects to create a trained base of one million certified and skilled cybersecurity professionals. It also aims to build more than 100 successful security product companies from India. Investors who normally focus on e-commerce ventures or public markets are now taking note of this opportunity and are betting on such ventures. Amit Choudhary, director, MotilalOswal Private Equity and an investor in Lucideus, said he saw tremendous opportunity in the cybersecurity market as hackers are shifting their focus from developed countries to emerging countries like India.</p>
<p class="body" style="text-align: justify; ">“There is a huge opportunity. The recent security breaches of a few Indian banks are an example,” said Vijay Kedia an ace stock picker and an investor in TAC Security. He said that organisations are still unaware of the widespread damage that can be caused by hackers. “The next war will be a ‘cyberwar’,” he said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime'>http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernanceIT Act2016-11-21T02:42:48ZNews ItemPrivacy after Big Data: Compilation of Early Research
http://editors.cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research
<b>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This is a growing body of research that we are exploring and
is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</b>
<p> </p>
<h4><a href="https://github.com/cis-india/website/raw/master/docs/CIS_PrivacyAfterBigData_CompilationOfEarlyResearch_2016.11.pdf">Download the Compilation</a> (PDF)</h4>
<hr />
<h3><strong>Privacy after Big Data</strong></h3>
<p>Evolving data science, technologies, techniques, and practices, including big data, are enabling shifts in how the public and private sectors carry out their functions and responsibilities, deliver services, and facilitate innovative production and service models to emerge. For example, in the public sector, the Indian government has considered replacing the traditional poverty line with targeted subsidies based on individual household income and assets. The my.gov.in platform is aimed to enable participation of the connected citizens, to pull in online public opinion in a structured manner on key governance topics in the country. The 100 Smart Cities Mission looks forwards to leverage big data analytics and techniques to deliver services and govern citizens within city sub-systems. In the private sector, emerging financial technology companies are developing credit scoring models using big, small, social, and fragmented data so that people with no formal credit history can be offered loans. These models promote efficiency and reduction in cost through personalization and are powered by a wide variety of data sources including mobile data, social media data, web usage data, and passively collected data from usages of IoT or connected devices.</p>
<p>These data technologies and solutions are enabling business models that are based on the ideals of ‘less’: cash-less, presence-less, and paper-less. This push towards an economy premised upon a foundational digital ID in a prevailing condition of absent legal frameworks leads to substantive loss of anonymity and privacy of individual citizens and consumers vis-a-vis both the state and the private sector. Indeed, the present use of these techniques run contrary to the notion of the ‘sunlight effect’ - making the individual fully transparent (often without their knowledge) to the state and private sector, while the algorithms and means of reaching a decision are opaque and inaccessible to the individual.</p>
<p>These techniques, characterized by the volume of data processed, the variety of sources data is processed from, and the ability to both contextualize - learning new insights from disconnected data points - and de-contextualize - finding correlation rather than causation - have also increased the value of all forms of data. In some ways, big data has made data exist on an equal playing field as far as monetisation and joining up are concerned. Meta data can be just as valuable to an entity as content data. As data science techniques evolve to find new ways of collecting, processing, and analyzing data - the benefits of the same are clear and tangible, while the harms are less clear, but significantly present.</p>
<p>Is it possible for an algorithm to discriminate? Will incorrect decisions be made based on data collected? Will populations be excluded from necessary services if they do not engage with certain models or do emerging models overlook certain populations? Can such tools be used to surveil individuals at a level of granularity that was formerly not possible and before a crime occurs? Can such tools be used to violate rights – for example target certain types of speech or groups online? And importantly, when these practices are opaque to the individual, how can one seek appropriate and effective remedy.</p>
<p>Traditionally, data protection standards have defined and established protections for certain categories of data. Yet, data science techniques have evolved beyond data protection principles. It is now infinitely harder to obtain informed consent from an individual when data that is collected can be used for multiple purposes by multiple bodies. Providing notice for every use is also more difficult – as is fulfilling requirements of data minimization. Some say privacy is dead in the era of big data. Others say privacy needs to be re-conceptualized, while others say protecting privacy now, more than ever, requires a ‘regulatory sandbox’ that brings together technical design, markets, legislative reforms, self regulation, and innovative regulatory frameworks. It also demands an expanding of the narrative around privacy – one that has largely been focused on harms such as misuse of data or unauthorized collection – to include discrimination, marginalization, and competition harms.</p>
<p>In this compilation we have put together a series of articles that we have developed as we explore the impacts – positive and negative – of big data. This includes looking at India’s data protection regime in the context of big data, reviewing literature on the benefits of harms of big data, studying emerging predictive policing techniques that rely on big data, and analyzing closely the impact of big data on specific privacy principles such as consent. This is a growing body of research that we are exploring and is relevant to multiple areas of our work including privacy and surveillance. Feedback and comments on the compilation are welcome and appreciated.</p>
<p><em>Elonnai Hickok</em><br />Director - Internet Governance</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research'>http://editors.cis-india.org/internet-governance/blog/privacy-after-big-data-compilation-of-early-research</a>
</p>
No publisherSaumyaa NaiduHuman RightsIT ActBig DataPrivacyInternet GovernanceSmart CitiesData ProtectionInformation TechnologyPublications2016-11-12T01:37:03ZBlog EntryIf all goes well, Indian IT Act may enter 21st century
http://editors.cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-october-6-2016-if-all-goes-well-indian-it-act-may-enter-twenty-first-century
<b>The government is aiming to refresh the main law governing information technology by giving it a revamp which it hopes will bring it in tune with the times and address criticisms about its weaknesses, a senior official said on condition of anonymity.</b>
<p style="text-align: justify; ">The article by Surabhi Agarwal was <a class="external-link" href="http://economictimes.indiatimes.com/small-biz/legal/if-all-goes-well-indian-it-act-may-enter-21st-century/articleshow/54707994.cms">published in the Economic Times</a> on October 6, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">The move is triggered by the realisation that the Information Technology Act passed in 2000 and last amended eight years ago may be wanting in many respects due to advances in technology and its ubiquitousness in nearly every aspect of life.</p>
<p style="text-align: justify; ">The government will take a first step by constituting a committee whose job will be to make suggestions to refresh the law. The magnitude of fraud, terrorism, bullying and stalking in cyber space has grown along with advances in technology and its adoption, and these are some of the areas where the law could do with an update.</p>
<p style="text-align: justify; ">The government's massive push on Digital India is also leading to significant digitisation of government services and records. In 2000, when the Act was first passed, there were a mere 5 million internet users in the country. India has surpassed the US to become the second-largest Internet market with 436 million users as of June 2016.</p>
<p style="text-align: justify; ">"It has been realised that we need more provisions on things such as mobile security, internet of things," the official said. "The last amendment came in 2008, so almost a decade has passed." This person said that there is confusion among various law enforcement agencies regarding the ambit of the IT Act.</p>
<p style="text-align: justify; ">Fresh provisions are also required in fields such as how long agencies – both state as well as private – should hold citizens' information, which has been shared by them, for any kind of authentication through means such as emails. Supreme Court advocate and cyber security expert Pavan Duggal called the IT Act an "outdated" piece of legislation.</p>
<p style="text-align: justify; ">"The Act and the amendments are in the pre-social media era. Current realities, challenges and the policy aspects of cyberspace have not been addressed," he said. There are no provisions, for instance, for mandatory reporting of cyber-crime and cyber-security breaches, he said. Besides, there are the challenges posed by the dark net where everything from weapons to drugs are being peddled.</p>
<p style="text-align: justify; ">"Cyber bullying is the number one problem in Indian schools and universities which is not addressed in the Act. There have been no convictions for cyber stalking which is extremely prevalent in India," Duggal said, suggesting measures such as the setting up of special courts for cyber crime and terror.</p>
<p style="text-align: justify; ">In the past couple of years, the government has come under fire for several attempts to bring in laws on encryption, contain pornography and the spread of obscene material online. The Internet and Mobile Association of India (IAMAI) said that while the move to change the Act is welcome, it should be done in an "inclusive" manner with the "widest possible public consultation" and not by a committee which consists only of government representatives.</p>
<p style="text-align: justify; ">Subho Ray, president of IAMAI said that while the definition of intermediaries needs to be reviewed and the list expanded, citizens' fundamental rights need to kept in mind while trying to bring back a modified form of Section 66A (it dealt with offences on the internet), which was struck down by the Supreme Court as unconstitutional.</p>
<p style="text-align: justify; ">The ministry of electronics and IT is currently trying to form a committee with experts from the private sector, the source said, and cautioned about the prospect of a "long-haul" before changes come about. Sunil Abraham, director of the Centre for Internet and Society (CIS) said that India's data protection laws under Section 43A of the IT Act must be upgraded and this would help Indian companies which export IT-enabled services.</p>
<p style="text-align: justify; ">"We also need to apply the principle of equivalence more clearly, which says that if something is illegal offline, it should also be illegal online," said Abraham.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-october-6-2016-if-all-goes-well-indian-it-act-may-enter-twenty-first-century'>http://editors.cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-october-6-2016-if-all-goes-well-indian-it-act-may-enter-twenty-first-century</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2016-10-06T16:49:12ZNews ItemInternet Rights and Wrongs
http://editors.cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs
<b>With a rise in PIL's for unwarranted censorship, do we need to step back and inspect if it's about time unreasonable trends are checked?</b>
<p style="text-align: justify; ">The article was published in India Today on September 1, 2016. The original piece <a class="external-link" href="http://indiatoday.intoday.in/story/internet-isp-websites-censorship/1/754038.html">can be read here</a>.</p>
<hr />
<p style="text-align: justify; ">Over the last few weeks, there have been a number of cases of egregious censorship of websites in India. Many people started seeing notices that (incorrectly) gave an impression that they may end up in jail if they visited certain websites. However, these notices weren't an isolated phenomenon, nor one that is new. Worryingly, the higher judiciary has been drawn into these questionable moves to block websites as well.</p>
<p style="text-align: justify; ">Since 2011, numerous torrent search engines and communities have been blocked by Indian internet service providers (ISPs). Torrent search engines provide the same functionality for torrents that Google provides for websites. Are copyright infringing materials indexed and made searchable by Google? Yes. Do we shut down Google for this reason? No. However, that is precisely what private entertainment companies have done over the past five years in India. Companies hired by the producers of Tamil movies Singham and 3 managed to get video-sharing websites like Vimeo, Dailymotion and numerous torrent search engines blocked even before the movies released, without showing even a single case of copyright infringement existed on any of them. During the FIFA World Cup, Sony even managed to get Google Docs blocked. In some cases, these entertainment companies have abused 'John Doe' orders (generic orders that allow copyright enforcement against unnamed persons) and have asked ISPs to block websites. The ISPs, instead of ignoring such requests as instances of private censorship, have also complied. In other cases (like Sony's FIFA World Cup case), courts have ordered ISPs to block hundreds of websites without any copyright infringement proven against them. High court judges haven't even developed a coherent theory on whether or how Indian law allows them to block websites for alleged copyright infringement. Still they have gone ahead and blocked.</p>
<p style="text-align: justify; ">In 2012, hackers got into Reliance Communications servers and released a list of websites blocked by them. The list contained multiple links that sought to connect Satish Seth-a group MD in Reliance ADA Group-to the 2G scam: a clear case of secretive private censorship by RCom. Further, visiting some of the YouTube links which pertained to Satish Seth showed that they had been removed by YouTube due to dubious copyright infringement complaints filed by Reliance BIG Entertainment. Did the department of telecom, whose licences forbid ISPs from engaging in private censorship, take any action against RCom? No. Earlier this year, Tata Sky filed a complaint against YouTube in the Delhi High Court, noting that there were videos on it that taught people how to tweak their set-top boxes to get around the technological locks that Tata Sky had placed. The Delhi HC ordered YouTube "not to host content that violates any law for the time being in force", presuming that the videos in question did in fact violate Indian law. They cite two sections: Section 65A of the Copyright Act and Section 66 of the Information Technology Act. The first explicitly allows a user to break technological locks of the kind that Tata Sky has placed for dozens of reasons (and allows a person to teach others how to engage in such breaking), whereas the second requires finding of "dishonesty" or "fraud" along with "damage to a computer system, etc", and an intention to violate the law-none of which were found. The court effectively blocked videos on YouTube without any finding of illegality, thus once again siding with censorial corporations.</p>
<p style="text-align: justify; ">In 2013, Indore-based lawyer Kamlesh Vaswani filed a PIL in the Supreme Court calling for the government to undertake proactive blocking of all online pornography. Normally, a PIL is only admittable under Article 32 of the Constitution, on the basis of a violation of a fundamental right (which are listed in Part III of our Constitution). Vaswani's petition-which I have had the misfortune of having read carefully-does not at any point complain that the state is violating a fundamental right by not blocking pornography. Yet the petition wants to curb the fundamental right to freedom of expression, since the government is by no means in a position to determine what constitutes illegal pornography and what doesn't.</p>
<p style="text-align: justify; ">The larger problem extends to the now-discredited censor board (headed by the notorious Pahlaj Nihalani), as also the self-censorship practised on TV by the private Indian Broadcasters Federation (which even bleeps out words and phrases like 'Jesus', 'period', 'breast cancer' and 'beef'). 'Swachh Bharat' should not mean sanitising all media to be unobjectionable to the person with the lowest outrage threshold. So who will file a PIL against excessive censorship?</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs'>http://editors.cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionIT ActInternet GovernanceCensorship2016-09-22T23:36:14ZBlog EntryDespite SC order, thousands booked under scrapped Sec 66A of IT Act
http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-september-7-2016-despite-sc-order-thousands-booked-under-scrapped-sec-66a-of-it-act
<b>College student Danish Mohammed’s arrest this March under the scrapped Section 66A of the Information Technology Act for allegedly sharing a morphed picture of RSS chief Mohan Bhagwat wasn’t an exception.</b>
<p style="text-align: justify; ">The article by Aloke Tikku was published in the <a href="http://www.hindustantimes.com/india-news/despite-sc-order-thousands-booked-under-scrapped-section-66a-of-it-act/story-DisRxFDBJTXvkz6ZW4fRHK.html">Hindustan Times</a> on September 7, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">Police arrested more than 3,000 people under the section in 2015, triggering concerns that the law was abused well after it was struck down by the Supreme Court in March last year. The top court had ruled Section 66A violated the constitutional freedom of speech and expression.<br /><br />The exact number of people arrested after it was scrapped is not available. But the National Crime Records Bureau’s (NCRB) Crime in India report released last month shows 3,137 arrests under the section in 2015 against 2,423 the previous year.<br /><br />On an average, four people were arrested every 12 hours in 2015 as compared to three in 2014.<br /><br />“I am shocked,” said Supreme Court lawyer Karuna Nundy, who represented the People’s Union for Civil Liberties, among the petitioners in Supreme Court seeking removal of Section 66A.<br /><br />“Making sure that our guardians of law know their law is absolutely basic... Whether it is training or notifying every police officer, we need action on it immediately,” she said.</p>
<p style="text-align: justify; "><img src="http://www.hindustantimes.com/rf/image_size_800x600/HT/p2/2016/09/07/Pictures/_7befc902-7467-11e6-86aa-b218fe1cd668.jpg" /></p>
<p style="text-align: justify; ">It is unlikely that all 3,000-plus arrests were made before the provision was struck down in March. Sunil Abraham, executive director of the Bengaluru-headquartered advocacy group Centre for Internet and Society, said it was obvious that the police had not made these arrests before the SC ruling.</p>
<p style="text-align: justify; ">Lawyer Manali Singhal said once the Supreme Court struck off a provision of law, “any arrest under that provision would be per se illegal and void”.</p>
<p style="text-align: justify; ">Police also appeared to be on an overdrive to file charge sheets against people booked before the SC verdict – in 1,500 cases last year, almost twice the 2014 figure.</p>
<p style="text-align: justify; ">NCRB statistics suggest that trials too did not end.</p>
<p style="text-align: justify; ">There were 575 people still in jail on January 1, 2016, twice as many as the 275 in prison when the law was in force a year earlier. In 2015, the courts also convicted accused in 143 cases.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-september-7-2016-despite-sc-order-thousands-booked-under-scrapped-sec-66a-of-it-act'>http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-september-7-2016-despite-sc-order-thousands-booked-under-scrapped-sec-66a-of-it-act</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2016-09-07T15:31:18ZNews ItemAccessing pirated content might lead to prison term & Rs 3-lakh fine
http://editors.cis-india.org/internet-governance/news/business-standard-august-22-2016-accessing-pirated-content-might-lead-to-prison-term-and-rs-3-lakh-fine
<b>India puts onus of downloading and viewing pirated content on individuals.
</b>
<p align="justify">The article by Alnoor Peermohammed was published in the <a href="http://www.business-standard.com/article/technology/accessing-pirated-content-might-lead-to-prison-term-rs-3-lakh-fine-116082201042_1.html">Business Standard</a> on August 22, 2016. Sunil Abraham was quoted.</p>
<hr align="justify" size="2" width="100%" />
<div align="justify">The central government is putting the onus of downloading and viewing of copyrighted content from sites it has blocked (with the help of internet service providers) on users.</div>
<div align="justify"></div>
<div align="justify">Visiting torrent (a particular type of files) websites while on Tata Communications’ network recently had users being shown a message that viewing or downloading content on those sites could land them in prison for up to three years and a fine of up to Rs 3 lakh.</div>
<div align="justify"></div>
<div align="justify">“There is not enough room in our prisons to keep these infringers and enough time in our courts to try them. It might sound very exciting as a message to put out but, essentially, they’re trying to scare people into good behaviour,” said Sunil Abraham, executive director at research firm Centre for Internet and Society.
<div id="div-gpt-ad-1466593210966-0"></div>
</div>
<div align="justify"></div>
<div align="justify">There has been no change to the Copyright Act of 1957 or the Information Technology Act of 2000 for the updated notice being shown to users upon visiting blocked sites. Under these provisions, visiting a site, which is blocked is not illegal, unless it is child pornography.<br /> <br />
<div>“Copyright infringement happens all the time and even in developed countries, the rates are very high. Crackdowns on individuals and consumers are never going to solve the problem,” added Abraham.</div>
<div>Experts say the most the government could do is prosecute a couple of people and make examples of them, to dissuade others. This practice is followed globally. There are no examples, though, in India of prosecution for copyright infringement of online content.<br /> <br />
<div>The recent alteration of the statement seen by users on Tata networks was done on the directives of the Bombay High Court, after the company appealed that showing individual messages for why each website was blocked was not feasible. The resulting message sparked media frenzy that visitors of blocked websites could now be imprisoned.</div>
<div>Other media reports revealed that the recent blocking of websites by internet service providers was prompted by court orders to prevent piracy of <i>Dishoom</i>, the Bollywood movie. <br /> <br /> <span class="p-content">Globally, there’s been a move to clamp on torrent websites which host pirated content, aided by large information technology entities such as Apple or Facebook. Last month, the US authorities arrested Kickass Torrents’ founder, Arten Vaulin, and blocked all the domains of the website, only to have it resurface a day later.</span></div>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-august-22-2016-accessing-pirated-content-might-lead-to-prison-term-and-rs-3-lakh-fine'>http://editors.cis-india.org/internet-governance/news/business-standard-august-22-2016-accessing-pirated-content-might-lead-to-prison-term-and-rs-3-lakh-fine</a>
</p>
No publisherpraskrishnaIT ActInternet GovernanceInformation TechnologyCopyright2016-08-23T02:47:52ZNews ItemPlace for a safety net
http://editors.cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net
<b>Vinupriya took her life last week, humiliated by the morphed images of her naked body posted on a social media site. Experts warn that the spike in Internet traffic brings with it an increase in online sexual crimes. Measures must be taken urgently to save lives, they tell T.V. Jayan.
</b>
<p align="justify"><a class="external-link" href="http://www.telegraphindia.com/1160710/jsp/7days/story_95759.jsp">The article was published in the Telegraph on July 10, 2016</a>.</p>
<hr />
<p align="justify">Sangeeta (not her name) was 25 and working for a private company in Mumbai when she suddenly told her family that she was going to quit her job and stay at home. Her parents were flummoxed, but questioning and coaxing yielded no answers. As the days rolled on, the management graduate slipped into depression. Her worried family took her to a counsellor. And it was only then that she came out with her story.</p>
<p align="justify">Soon after she joined the company, Sangeeta got romantically involved with her boss. By the time she learnt he was married, the involvement had taken a physical turn. And when she tried to put an end to it, the man, who had recorded their intimate moments, used the video clips to blackmail her for sexual favours. After Sangeeta's confession and a police complaint, the blackmailing boss was nabbed and put behind bars.</p>
<p align="justify">Vinupriya, an undergraduate student from Salem, Tamil Nadu, was not so lucky. She found that her morphed images had been uploaded on Facebook. She committed suicide last week after her parents refused to believe her story, and the police failed to act swiftly.</p>
<p align="justify">Cyber experts are alarmed by the increase in online crimes against women in India. According to them, what is more worrying is that though the risks are catastrophic, the issues are not being addressed at a larger level.</p>
<p align="justify">"Vinupriya's case is particularly frightening. I suspect this would be the first of many such tragedies. They might even result in honour killings, as such crimes can destroy the reputation of families," says American cyber lawyer Parry Aftab, executive director of the voluntary organisation, Wired Safety, which she founded 20 years ago, and which deals extensively with cyber stalking and other crimes.</p>
<p align="justify">Earlier this week, a man was arrested in Delhi for sending obscene messages to more than 1,500 women in the National Capital Region. According to the police, the miscreant would randomly dial any number and if the caller turned out to be a woman, he would save the number and later check out her WhatsApp profile picture. He would then send obscene clips to the woman. One news report said some of the marriages were in trouble because husbands had seen the messages and suspected that their wives were in a relationship with the man sending those explicit messages.</p>
<p align="justify">Aftab has been studying the dangers of online stalking for a while. There are no figures on this in India, but a top United Nations official, stationed in New Delhi and dealing with trafficking, told her that about 500 rape and sexual assault cases were recorded and shared over WhatsApp in India this year.</p>
<p align="justify">She referred to a study conducted in the US that said one in three girls and boys engaged in sexting. Children involved in sexting contemplated suicide three times more than others of the same age, she said.</p>
<p align="justify">According to her, Wired Safety volunteers come across five cases of sextortion and sexting every day from Asian countries, including India, and act upon them by red-flagging social media organisations where such images are posted.</p>
<p align="justify">Pavan Duggal, a cyber lawyer based in Delhi, feels that social media service providers are not doing enough to stop online sexual abuse. "They are hiding behind a 2015 Supreme Court judgment, which said content can be removed only on judicial orders or in response to government notifications," he says.</p>
<p align="justify">The verdict he refers to was delivered in a case filed by a student called Shreya Singhal. In 2012, two girls were arrested over their Facebook post questioning the Mumbai shutdown for Shiv Sena patriarch Bal Thackeray's funeral. The incident made an impression on Singhal, a student of astrophysics at the University of Bristol, who was in India at the time.</p>
<p align="justify">Upon research she discovered that Section 66(A) of India's IT Act was subjective and any seemingly offensive social media post could land anyone in jail. Singhal filed a writ petition in the Supreme Court protesting that the section violated the constitutional right to freedom of speech and expression, and in 2015, the apex court ruled in her favour.</p>
<p align="justify">This judgment, however, emboldened cyber miscreants. "All the cyber bullies and cyber stalkers now have a misplaced feeling that nothing can happen to them," says Duggal. He points out that while the delivery of justice takes time, the harassment happens 24x7.</p>
<p align="justify">"Who do the victims turn to for help? There are provisions in the 2011 IT rules that clearly say that social medial service providers should have rules and regulations in place to deal with objectionable content, but they do not act," he holds.</p>
<p align="justify">Aftab, however, believes that some efforts are in place. She cites the example of Microsoft's PhotoDNA technology, which is used by many social media and online search firms, including Facebook, Google and Twitter, to prevent child pornography on the Internet. PhotoDNA works by creating a number of mini hashes on a single image and combining them to have a full hash. If anything is changed, even a pixel, then the hash signature will not match.</p>
<p align="justify">But she holds that on a larger scale, it is difficult to technologically deal with revenge porn, sextortion (using a sexual or provocative image to blackmail people for sexual favours) and sexting (sharing sexually provocative images of people, especially women) with the intention of damaging reputation.</p>
<p align="justify">Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, hints at a lack of initiative on the part of the social media organisations. "When it comes to enforcing intellectual property, organisations like Facebook do an excellent job of keeping their platform free of copyright infringement," he says. "So, clearly these companies can police activities on their platform when it affects their bottom-line."</p>
<p align="justify">And while this debate continues, more and more Indians join the online experience, thereby increasing the chances of more such cases. Aftab, who plans to set up a voluntary organisation relating to cyber safety in India, says it is best to focus on proactive measures in the interim.</p>
<p align="justify">Last month, she addressed 1,200 teenage girls from a Bangalore college. "One of the first questions posed to me was from a young girl who said she was currently being blackmailed by someone who threatened to morph her pictures into sexually explicit images and send them to her family and others. Morphed image issue seems to be a lot more serious in India than in the West."</p>
<p align="justify">The problem, she stresses, is that such incidents can lead to self-harm. To counter this, the affected person needs to inform his or her family and enlist their support. Together, they should approach social media organisations to ensure that the objectionable content is removed in time. To prevent the offenders from doing further harm, they then need to take the help of law enforcement agencies.</p>
<p align="justify">"The government for its part must amplify the voices of women and hold these Internet corporations accountable for an information escrow. There should be an independent mechanism to monitor whether Internet platforms are taking complaints from women seriously," Abraham says. Only then can a young girl like Vinupriya pluck up the courage to fight online abuse.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net'>http://editors.cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2016-07-13T02:45:56ZNews ItemThe Case of Whatsapp Group Admins
http://editors.cis-india.org/internet-governance/blog/the-case-of-whatsapp-group-admins
<b></b>
<p style="text-align: justify; ">Censorship laws in India have now roped in group administrators of chat groups on instant messaging platforms such as Whatsapp (<i>group admin(s)</i>) for allegedly objectionable content that was posted by other users of these chat groups. Several incidents<a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn1">[1]</a> were reported this year where group admins were arrested in different parts of the country for allowing content that was allegedly objectionable under law. A few reports mentioned that these arrests were made under Section 153A<a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn2">[2]</a> read with Section 34<a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn3">[3]</a> of the Indian Penal Code (<i>IPC</i>) and Section 67<a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn4">[4]</a> of the Information Technology Act (<i>IT Act</i>).</p>
<p style="text-align: justify; "><span>Targeting of a group admin for content posted by other members of a chat group has raised concerns about how this liability is imputed. Whether a group admin should be considered an intermediary under Section 2 (w) of the IT Act? If yes, whether a group admin would be protected from such liability?</span></p>
<h3><strong>Group admin as an intermediary</strong></h3>
<p style="text-align: justify; "><strong> </strong></p>
<p style="text-align: justify; ">Whatsapp is an instant messaging platform which can be used for mass communication by opting to create a chat group. A chat group is a feature on Whatsapp that allows joint participation of Whatsapp users. The number of Whatsapp users on a single chat group can be up to 100. Every chat group has one or more group admins who control participation in the group by deleting or adding people. <a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn5">[5]</a> It is imperative that we understand that by choosing to create a chat group on Whatsapp whether a group admin can become liable for content posted by other members of the chat group.</p>
<p style="text-align: justify; "><span>Section 34 of the IPC provides that when a number of persons engage in a criminal act with a common intention, each person is made liable as if he alone did the act. Common intention implies a pre-arranged plan and acting in concert pursuant to the plan. It is interesting to note that group admins have been arrested under Section 153A on the ground that a group admin and a member posting content on a chat group that is actionable under this provision have common intention to post such content on the group. But would this hold true when for instance, a group admin creates a chat group for posting lawful content (say, for matchmaking purposes) and a member of the chat group posts content which is actionable under law (say, posting a video abusing Dalit women)? Common intention can be established by direct evidence or inferred from conduct or surrounding circumstances or from any incriminating facts.</span><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn6">[6]</a></p>
<p style="text-align: justify; "><span>We need to understand whether common intention can be established in case of a user merely acting as a group admin. For this purpose it is necessary to see how a group admin contributes to a chat group and whether he acts as an intermediary.</span></p>
<p style="text-align: justify; "><strong> </strong></p>
<p style="text-align: justify; "><span>We know that parameters for determining an intermediary differ across jurisdictions and most global organisations have categorised them based on their role or technical functions.</span><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn7">[7]</a><span> Section 2 (w) of the Information Technology Act, 2000 (</span><i>IT Act</i><span>) defines an intermediary as </span><i>any person, who on behalf of another person, receives, stores or transmits messages or provides any service with respect to that message</i><span> </span><i>and includes the telecom services providers, network providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online marketplaces and cyber cafés</i><span>. Does a group admin receive, store or transmit messages on behalf of group participants or provide any service with respect to messages of group participants or falls in any category mentioned in the definition? Whatsapp does not allow a group admin to receive, or store on behalf of another participant on a chat group. Every group member independently controls his posts on the group. However, a group admin helps in transmitting messages of another participant to the group by allowing the participant to be a part of the group thus effectively providing service in respect of messages. A group admin therefore, should be considered an intermediary. However his contribution to the chat group is limited to allowing participation but this is discussed in further detail in the section below.</span></p>
<p style="text-align: justify; "><span>According to the Organisation for Economic Co-operation and Development (OECD), in a 2010 report</span><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn8">[8]</a><span>, an internet intermediary brings together or facilitates transactions between third parties on the Internet. It gives access to, hosts, transmits and indexes content, products and services originated by third parties on the Internet or provide Internet-based services to third parties. A Whatsapp chat group allows people who are not on your list to interact with you if they are on the group admins’ contact list. In facilitating this interaction, according to the OECD definition, a group admin may be considered an intermediary.</span></p>
<h3><strong>Liability as an intermediary</strong></h3>
<p style="text-align: justify; "><strong> </strong></p>
<p style="text-align: justify; ">Section 79 (1) of the IT Act protects an intermediary from any liability under any law in force (for instance, liability under Section 153A pursuant to the rule laid down in Section 34 of IPC) if an intermediary fulfils certain conditions laid down therein. An intermediary is required to carry out certain due diligence obligations laid down in Rule 3 of the Information Technology (Intermediaries Guidelines) Rules, 2011 (<i>Rules</i>). These obligations include monitoring content that infringes intellectual property, threatens national security or public order, or is obscene or defamatory or violates any law in force (Rule 3(2)).<a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn9">[9]</a> An intermediary is liable for publishing or hosting such user generated content, however, as mentioned earlier, this liability is conditional. Section 79 of IT Act states that an intermediary would be liable only if it initiates transmission, selects receiver of the transmission and selects or modifies information contained in the transmission that falls under any category mentioned in Rule 3 (2) of the Rules. While we know that a group admin has the ability to facilitate sharing of information and select receivers of such information, he has no direct editorial control over the information shared. Group admins can only remove members but cannot remove or modify the content posted by members of the chat group. An intermediary is liable in the event it fails to comply with due diligence obligations laid down under rule 3 (2) and 3 (3) of the Rules however, since a group admin lacks the authority to initiate transmission himself and control content, he can’t comply with these obligations. Therefore, a group admin would be protected from any liability arising out of third party/user generated content on his group pursuant to Section 79 of the IT Act.</p>
<p style="text-align: justify; "><span>It is however relevant to note whether the ability of a group admin to remove participants amounts to an indirect form of editorial control.</span></p>
<h3><strong>Other pertinent observations</strong></h3>
<p style="text-align: justify; "><strong><span> </span></strong></p>
<p style="text-align: justify; ">In several reports<a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn10">[10]</a> there have been discussions about how holding a group admin liable makes the process convenient as it is difficult to locate all the users of a particular group. This reasoning may not be correct as the Whatsapp policy<a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn11">[11]</a> makes it mandatory for a prospective user to provide his mobile number in order to use the platform and no additional information is collected from group admins which may justify why group admins are targeted. Investigation agencies can access mobile numbers of Whatsapp users and gain more information from telecom companies.</p>
<p style="text-align: justify; "><span>It is also interesting to note that the group admins were arrested after a user or someone familiar to a user filed a complaint with the police about content being objectionable or hurtful. Earlier this year, the apex court had ruled in the case of </span><i>Shreya Singhal v. Union of India</i><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftn12">[12]</a><span> that an intermediary needed a court order or a government notification for taking down information. With actions taken against group admins on mere complaints filed by anyone, it is clear that the law enforcement officials have been overriding the mandate of the court.</span></p>
<h3><strong>Conclusion</strong></h3>
<p> </p>
<p><span style="text-align: justify; ">According to a study conducted by a global research consultancy, TNS Global, around 38 % of internet users in India use instant messaging applications such as Snapchat and Whatsapp on a daily basis, Whatsapp being the most widely used application. These figures indicate the scale of impact that arrests of group admins may have on our daily communication.</span></p>
<p style="text-align: justify; "><span>It is noteworthy that categorising a group admin as an intermediary would effectively make the Rules applicable to all Whatsapp users intending to create groups and make it difficult to enforce and would perhaps blur the distinction between users and intermediaries.</span></p>
<p style="text-align: justify; "><span>The critical question however is whether a chat group is considered a part of the bundle of services that Whatsapp offers to its users and not as an independent platform that makes a group admin a separate entity. Also, would it be correct to draw comparison of a Whatsapp group chat with a conference call on Skype or sharing a Google document with edit rights to understand the domain in which censorship laws are penetrating today?</span></p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><i>Valuable contribution by Pranesh Prakash and Geetha Hariharan</i></p>
<hr size="1" style="text-align: justify; " width="33%" />
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref1">[1]</a> <a href="http://www.nagpurtoday.in/whatsapp-admin-held-for-hurting-religious-sentiment/06250951">http://www.nagpurtoday.in/whatsapp-admin-held-for-hurting-religious-sentiment/06250951</a> ; <a href="http://www.catchnews.com/raipur-news/whatsapp-group-admin-arrested-for-spreading-obscene-video-of-mahatma-gandhi-1440835156.html">http://www.catchnews.com/raipur-news/whatsapp-group-admin-arrested-for-spreading-obscene-video-of-mahatma-gandhi-1440835156.html</a> ; <a href="http://www.financialexpress.com/article/india-news/whatsapp-group-admin-along-with-3-members-arrested-for-objectionable-content/147887/">http://www.financialexpress.com/article/india-news/whatsapp-group-admin-along-with-3-members-arrested-for-objectionable-content/147887/</a></p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref2">[2]</a> Section 153A. “Promoting enmity between different groups on grounds of religion, race, place of birth, residence, language, etc., and doing acts prejudicial to maintenance of harmony.— (1) Whoever— (a) by words, either spoken or written, or by signs or by visible representations or otherwise, promotes or attempts to promote, on grounds of religion, race, place of birth, residence, language, caste or community or any other ground whatsoever, disharmony or feelings of enmity, hatred or ill-will between different religious, racial, language or regional groups or castes or communities…” or 2) Whoever commits an offence specified in sub-section (1) in any place of worship or in any assembly engaged in the performance of religious worship or religious ceremonies, shall be punished with imprisonment which may extend to five years and shall also be liable to fine.</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref3">[3]</a> Section 34. Acts done by several persons in furtherance of common intention – When a criminal act is done by several persons in furtherance of common intention of all, each of such persons is liable for that act in the same manner as if it were done by him alone.</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref4">[4]</a> Section 67 Publishing of information which is obscene in electronic form. -Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees."</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref5">[5]</a> https://www.whatsapp.com/faq/en/general/21073373</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref6">[6]</a> Pandurang v. State of Hyderabad AIR 1955 SC 216</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref7">[7]</a><a href="https://www.eff.org/files/2015/07/08/manila_principles_background_paper.pdf">https://www.eff.org/files/2015/07/08/manila_principles_background_paper.pdf</a>; <a href="http://unesdoc.unesco.org/images/0023/002311/231162e.pdf">http://unesdoc.unesco.org/images/0023/002311/231162e.pdf</a></p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref8">[8]</a> http://www.oecd.org/internet/ieconomy/44949023.pdf</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref9">[9]</a> Rule 3(2) (b) of the Rules</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref10">[10]</a><a href="http://www.thehindu.com/news/national/other-states/if-you-are-a-whatsapp-group-admin-better-be-careful/article7531350.ece">http://www.thehindu.com/news/national/other-states/if-you-are-a-whatsapp-group-admin-better-be-careful/article7531350.ece</a>; http://www.newindianexpress.com/states/tamil_nadu/Social-Media-Administrator-You-Could-Land-in-Trouble/2015/10/10/article3071815.ece; <a href="http://www.medianama.com/2015/10/223-whatsapp-group-admin-arrest/">http://www.medianama.com/2015/10/223-whatsapp-group-admin-arrest/</a>; <a href="http://www.thenewsminute.com/article/whatsapp-group-admin-you-are-intermediary-and-here%E2%80%99s-what-you-need-know-35031">http://www.thenewsminute.com/article/whatsapp-group-admin-you-are-intermediary-and-here%E2%80%99s-what-you-need-know-35031</a></p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref11">[11]</a> https://www.whatsapp.com/legal/</p>
<p style="text-align: justify; "><a href="file:///C:/Users/HP/Desktop/Whatsapp%20group%20admins.docx#_ftnref12">[12]</a> http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf</p>
<div>
<div id="ftn12"></div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-case-of-whatsapp-group-admins'>http://editors.cis-india.org/internet-governance/blog/the-case-of-whatsapp-group-admins</a>
</p>
No publisherJapreet GrewalIT ActIntermediary LiabilityCensorship2015-12-08T10:25:42ZBlog EntryEncryption policy would have affected emails, operating systems, WiFi
http://editors.cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi
<b>Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security, said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society. </b>
<p>The article by Amrita Madhukalya was published in <a class="external-link" href="http://www.dnaindia.com/india/report-encryption-policy-would-have-affected-emails-operating-systems-wifi-2127715">DNA</a> on September 23, 2015.</p>
<hr />
<p>The <a href="http://www.dnaindia.com/topic/draft-national-policy">Draft National Policy</a> on Encryption, withdrawn by the Department of Electronics and Information Technology (DeiTY) after it created a furore on privacy issues, would have had allowed the government access to any form of digital data that required encryption. Not limited to just WhatsApp or Viber data, it would have affected email services, WiFi, phone operating systems, etc.</p>
<p>"Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security," said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.</p>
<p>The government, criticised heavily for the policy, withdrew it on Tuesday afternoon. It said that a new policy will be brought in its place.</p>
<p>Nikhil Pahwa of internet watchdog Medianama said that data about normal day-to-day activities would have to be stored if the policy was implemented. "The policy would have affected everyday business to consumer data.<br /> This would mean that if a doctor or lawyer had your data digitised, they will be open to access, and would have to be kept for at least 90 days," said Pahwa.</p>
<p>However, he added that a robust encryption is needed. "It is believed that companies like Google, <a href="http://www.dnaindia.com/topic/facebook">Facebook</a> allow the NSA to access user data in the US, putting our personal security, and the national security largely, at risk," said Pahwa.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi'>http://editors.cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2015-09-25T01:23:10ZNews Item