Centre for Internet and Society

RBI Ban on Cryptocurrencies not backed by any data or statistics

vipul — 2020-03-05T18:35:48Z

In March 2020, the Supreme Court of India quashed the RBI order passed in 2018 that banned financial services firms from trading in virtual currency or cryptocurrency. Keeping this policy window in mind, the Centre for Internet & Society will be releasing a series of blog posts and policy briefs on cryptocurrency regulation in India

On April 6, 2018 the RBI issued a circular preventing all Commercial and Co-operative Banks, Payments Banks, Small Finance Banks, NBFCs, and Payment System Providers not only from dealing in virtual currencies themselves but also directing them to stop providing services to all entities which deal with virtual currencies. The RBI had issued a Press Release cautioning the public against dealing in virtual currencies including Bitcoin in 2013. However, the growing popularity of cryptocurrencies and its adoption by large numbers of Indian users, may have been the reason which forced the RBI to issue another Press Release in February 2017 reiterating its earlier concerns regarding cryptocurrencies raised in its earlier circular of 2013. In December 2017 both the RBI as well as the Ministry of Finance issued Press Releases cautioning the general public about the dangers and risks associated with cryptocurrencies, finally culminating in the circular dated April 6, 2018 banning financial institutions from dealing with cryptocurrency traders. As a result of this circular the operations of cryptocurrency exchanges took a severe hit and the number of transactions on these exchanges reduced substantially. The cryptocurrency market in India all but disappeared with only a few extremely determined enthusiasts still dealing in cryptocurrencies, at the risk of potentially depriving themselves of banking services altogether.

The RBI circular was challenged in the Supreme Court by the Internet and Mobile Association of India; final arguments in the case were concluded only in the last week of January, 2020 with the judgment of the Supreme Court being awaited. Generally speaking, whenever such policy decisions of the executive branch are challenged in the courts, a well accepted defense for the executive authorities, specifically in highly complicated fields such as finance, etc. is that the decision was taken by an expert body using its expertise in the field. The basic rationale underlying this argument is that the authority has relied on verifiable data and used its expertise to analyse the same in order to arrive at its decision.

However, it appears from the response by the RBI to an RTI query by Centre for Internet and Society, that requested the RBI for a copy of all reports, papers, opinions and advice that was relied upon for issuing the April 6, 2018 circular, that the RBI has not relied upon any such data to come to a conclusion that banking services should be denied to all those entities dealing in cryptocurrencies. It appears from the response to the RTI query that it was the RBI’s own previous circulars and press releases which formed the basis for the April 6, 2018 circular. This response completely undermines the argument that the decision by the RBI was taken after an analysis of all the facts and statistics concerned with cryptocurrency trading.

Not only does the RTI response weaken the commonly accepted defense of an expert body making a well-reasoned decision, but it also strengthens another legal ground for challenging the decision of the RBI, viz. arbitrariness. One of the grounds on which executive decisions can be challenged is that the decision was made without taking into account relevant material and without the application of mind. The admission by the RBI in its RTI response that there is no material relied upon by the RBI, except its own previous Press Releases, only strengthens the argument that the decision was made in an arbitrary manner.

Such an admission by the RBI regarding the process followed before issuing the April 6, 2018 circular reduces the credibility of the decision itself. However it remains to be seen whether the Supreme Court of India agrees with the arguments of the petitioners challenging the April 6, 2018 circular, even though the petitioners may not have been able to produce this RTI response from the RBI to further bolster their case.

For more details visit http://editors.cis-india.org/internet-governance/blog/rbi-ban-on-cryptocurrencies-not-backed-by-any-data-or-statistics

Cryptocurrency Regulation in India – A brief history

vipul — 2020-03-05T18:36:09Z

The story of cryptocurrencies started in 2008 when a paper titled “Bitcoin: A Peer to Peer Electronic Cash System” was published by a single or group of pseudonymous developer(s) by the name of Satoshi Nakamoto. The actual network took some time to start with the first transactions taking place only in January 2009. The first actual sale of an item using Bitcoin took place a year later with a user swapping 10,000 Bitcoin for two pizzas in 2010, which attached a cash value to the cryptocurrency for the first time. By 2011 other cryptocurrencies began to emerge, with Litecoin, Namecoin and Swiftcoin all making their debut. Meanwhile, Bitcoin the cryptocurrency that started it all started getting criticised after claims emerged that it was being used on the so-called “dark web”, particularly on sites such as Silk Road as a means of payment for illegal transactions. Over the next five years cryptocurrencies steadily gained traction with increased number of transactions and the price of Bitcoin, the most popular cryptocurrency shot up from around 5 Dollars in the beginning of 2012 to almost 1000 Dollars at the end of 2017.

Riding on the back of this wave of popularity, a number of cryptocurrency exchanges started operating in India between 2012 and 2017 providing much needed depth and volume to the Indian cryptocurrency market. These included popular exchanges such as Zebpay, Coinsecure, Unocoin, Koinex, Pocket Bits and Bitxoxo. With the price of cryptocurrencies shooting up and because of its increased popularity and adoption by users outside of its traditional cult following, regulators worldwide began to take notice of this new technology; in India the RBI issued a Press Release cautioning the public against dealing in virtual currencies including Bitcoin way back in 2013. However, the transaction volumes and adoption of cryptocurrencies in India really picked up in earnest only after the demonetisation of high value currency notes in November of 2016, with the government’s emphasis on digital payments leading to alternatives to traditional online banking such as cryptocurrencies forcing their way into the public consciousness. Indian cryptocurrency exchanges started acquiring users at a much higher pace which drove up volume for cryptocurrency transactions on all Indian exchanges. The growing popularity of cryptocurrencies and its adoption by large numbers of Indian users forced the RBI to issue another Press Release in February 2017 reiterating its concerns regarding cryptocurrencies raised in its earlier Press Release of 2013.

In October and November, 2017 two Public Interest Petitions were filed in the Supreme Court of India, one by Siddharth Dalmia and another by Dwaipayan Bhowmick, the former asking the Supreme Court to restrict the sale and purchase of cryptocurrencies in India, and the latter asking for cryptocurrencies in India to be regulated. Both the petitions are currently pending in the Supreme Court.

In November, 2017 the Government of India constituted a high level Inter-ministerial Committee under the chairmanship of Shri Subhash Chandra Garg, Secretary, Department of Economic Affairs, Ministry of Finance and comprising of Shri Ajay Prakash Sawhney (Secretary, Ministry of Electronics and Information Technology), Shri Ajay Tyagi (Chairman, Securities and Exchange Board of India) and Shri B.P. Kanungo (Deputy Governor, Reserve Bank of India). The mandate of the Committee was to study various issues pertaining to Virtual Currencies and to propose specific actions that may be taken in relation thereto. This Committee submitted its report in July of 2019 recommending a ban on private cryptocurrencies in India.

In December 2017 both the RBI as well as the Ministry of Finance issued Press releases cautioning the general public about the dangers and risks associated with cryptocurrencies, with the Ministry of Finance Press Release saying that cryptocurrencies are like ponzi schemes and also declaring that they are not currencies or coins. It should be mentioned here that till the end of March 2018, the RBI and the Finance Ministry had issued various Press Releases on cryptocurrencies cautioning people against their risks, however none of them ever took any legal action or gave any enforceable directions against cryptocurrencies. All of this changed with the RBI circular dated April 6, 2018 whereby the RBI prevented Commercial and Co-operative Banks, Payments Banks, Small Finance Banks, NBFCs, and Payment System Providers not only from dealing in virtual currencies themselves but also directing them to stop providing services to all entities which deal with virtual currencies.

The effect of the circular was that cryptocurrency exchanges, which relied on normal banking channels for sending and receiving money to and from their users, could not access any banking services within India. This essentially crippled their business operations since converting cash to cryptocurrencies and vice versa was an essential part of their operations. Even pure cryptocurrency exchanges which did not deal in fiat currency, were unable to carry out their regular operations such as paying for office space, staff salaries, server space, vendor payments, etc. without access to banking services.

As a the operations of cryptocurrency exchanges took a severe hit and the number of transactions on these exchanges reduced substantially. People who had bought cryptocurrencies on these exchanges as an investment were forced to sell their crypto assets and cash out before they lost access to banking facilities. The cryptocurrency exchanges themselves found it hard to sustain operations in the face of the dual hit of reduced transaction volumes and loss of access banking services. Faced with such an existential threat, a number of exchanges who were members of the Internet and Mobile Association of India (IMAI), filed a writ petition in the Supreme Court on May 15, 2018 titled Internet and Mobile Association of India v. Reserve Bank of India, the final arguments in which were heard by the Supreme Court of India in January, 2020 and the judgment is awaited. If the Supreme Court agrees with the arguments of the petitioners, then cryptocurrency exchanges would be able to restart operations in India; as a result the cryptocurrency ecosystem in India may be revived and cryptocurrencies may become a viable investment alternative again.

For more details visit http://editors.cis-india.org/internet-governance/blog/cryptocurrency-regulation-in-india-2013-a-brief-history

A Compilation of Research on the PDP Bill

pranav — 2020-03-05T08:04:24Z

The most recent step in India’s initiative to create an effective and comprehensive Data Protection regime was the call for comments to the Personal Data Protection Bill, 2019, which closed last month. Leading up to the comments, CIS has published numerous research pieces with the goal of providing a comprehensive overview of how this legislation would place India within the global scheme, and how the local situation has developed, as well as analysing its impacts on citizens’ rights.

In addition to general and clause-by-clause comments and recommendations, we have compiled an annotated version of the Personal Data Protection Bill, which lays out our commentary in an easy-to-follow format.

Below, you can find our other recent research on Data Protection:

Pallavi Bedi has put together a note on the Divergence between EU’s General Data Protection Regulation (GDPR) and the Personal Data Protection Bill.

In addition, Pallavi has also contrasted the Personal Data Protection Bill with the GDPR and California Consumer Protection Act, in the contexts of jurisdiction and scope, rights of the data principal, obligations of data fiduciaries, exemptions, data protection authority, and breach of personal data.

On IAPP’s blog Privacy Perspectives, D. Shweta Reddy has assessed whether the Personal Data Protection Bill 2019 is sufficient for India to receive adequacy status from the EU.

Along with Justin Sherman, Arindrajit Basu has outlined the key global takeaways from the Personal Data Protection Bill 2019 on Lawfare.

On The Diplomat, Arindrajit has also traced the narrowing localization provisions in India, as well as Vietnam and Indonesia, and studied the actors and geopolitical tussle that has shaped these provisions.

Through a string of publicly available submissions, press statements, and other media reports, Arindrajit and Amber Sinha have tracked the political evolution of the data protection ecosystem in India, and how this has, and will continue to impact legislative and policy developments on EPW Engage.

Gurshabad Grover and Tanaya Rajwade have written on The Wire about how the Personal Data Protection Bill regulates social media.

Amber was also a guest on Suno India’s Cyber Democracy podcast, with Srinivas Kodali, to discuss how the latest version of the Personal Data Protection Bill will impact the right to privacy.

For more details visit http://editors.cis-india.org/internet-governance/blog/compilation-of-research-on-data-protection

Governing ID: Kenya’s Huduma Namba Programme

amber — 2020-03-02T13:19:15Z

In our fourth case-study, we use our Evaluation Framework for Digital ID to examine the use of Digital ID in Kenya.

Read the case-study or download as PDF.

For more details visit http://editors.cis-india.org/internet-governance/blog/governing-id-kenya2019s-huduma-namba-programme

Governing ID: Use of Digital ID in the Healthcare Sector

Shruti Trikanad — 2020-03-02T13:21:22Z

In our third case-study, we use our Evaluation Framework for Digital ID to examine the use of Digital ID in the healthcare sector.

Read the case-study or download as PDF.

For more details visit http://editors.cis-india.org/internet-governance/blog/governing-id-use-of-digital-id-in-the-healthcare-sector

Governing ID: India’s Unique Identity Programme

Vrinda Bhandari — 2020-03-02T11:38:51Z

In our second case-study, we use our Evaluation Framework for Digital ID to assess India’s Unique Identity Programme.

Read the case-study or download as PDF.

For more details visit http://editors.cis-india.org/internet-governance/governing-id-india2019s-unique-identity-programme

Governing ID:  Use of Digital ID for Verification

Shruti Trikanad — 2020-03-02T11:16:19Z

This is the first in a series of case studies, using our recently-published Evaluation Framework for Digital ID. It looks at the use of digital identity programmes for the purpose of verification, often using the process of deduplication.

Read the case-study or download as PDF.

For more details visit http://editors.cis-india.org/internet-governance/blog/governing-id-2028use-of-digital-id-for-verification

Governing ID: A Framework for Evaluation of Digital Identity

Vrinda Bhandari, Shruti Trikanad, and Amber Sinha — 2020-03-02T13:22:43Z

As governments across the globe implement new and foundational digital identification systems (Digital ID), or modernize existing ID programs, there is an urgent need for more research and discussion about appropriate uses of Digital ID systems. This significant momentum for creating Digital ID has been accompanied with concerns about privacy, surveillance and exclusion harms of state-issued Digital IDs in several parts of the world, resulting in campaigns and litigations in countries, such as UK, India, Kenya, and Jamaica. Given the sweeping range of considerations required to evaluate Digital ID projects, it is necessary to formulate evaluation frameworks that can be used for this purpose.

This work began with the question of what the appropriate uses of Digital ID can be, but through the research process, it became clear that the question of use cannot be divorced from the fundamental attributes of Digital ID systems and their governance structures. This framework provides tests, which can be used to evaluate the governance of Digital ID across jurisdictions, as well as determine whether a particular use of Digital ID is legitimate. Through three kinds of checks — Rule of Law tests, Rights based tests, and Risks based tests — this scheme is a ready guide for evaluation of Digital ID.

View the framework or download as PDF.

For more details visit http://editors.cis-india.org/internet-governance/blog/governing-id-a-framework-for-evaluation-of-digital-identity

Governing ID: Introducing our Evaluation Framework

Shruti Trikanad — 2020-03-02T08:03:49Z

With the rise of national digital identity systems (Digital ID) across the world, there is a growing need to examine their impact on human rights. In several instances, national Digital ID programmes started with a specific scope of use, but have since been deployed for different applications, and in different sectors. This raises the question of how to determine appropriate and inappropriate uses of Digital ID. In April 2019, our research began with this question, but it quickly became clear that a determination of the legitimacy of uses hinged on the fundamental attributes and governing structure of the Digital ID system itself. Our evaluation framework is intended as a series of questions against which Digital ID may be tested. We hope that these questions will inform the trade-offs that must be made while building and assessing identity programmes, to ensure that human rights are adequately protected.

Rule of Law Tests

Foundational Digital ID must only be implemented along with a legitimate regulatory framework that governs all aspects of Digital ID, including its aims and purposes, the actors who have access to it, etc. In the absence of this framework, there is nothing that precludes Digital IDs from being leveraged by public and private actors for purposes outside the intended scope of the programme. Our rule of law principles mandate that the governing law should be enacted by the legislature, be devoid of excessive delegation, be clear and accessible to the public, and be precise and limiting in its scope for discretion. These principles are substantiated by the criticism that the Kenyan Digital ID, the Huduma Namba, was met with when it was legalized through a Miscellaneous Amendment Act, meant only for small or negligible amendments and typically passed without any deliberation. These set of tests respond to the haste with which Digital ID has been implemented, often in the absence of an enabling law which adequately addresses its potential harms.

Rights based Tests

Digital ID, because of its collection of personal data and determination of eligibility and rights of users, intrinsically involves restrictions on certain fundamental rights. The use of Digital ID for essential functions of the State, including delivery of benefits and welfare, and maintenance of civil and sectoral records, enhance the impact of these restrictions. Accordingly, the entire identity framework, including its architecture, uses, actors, and regulators, must be evaluated at every stage against the rights it is potentially violating. Only then will we be able to determine if such violation is necessary and proportionate to the benefits it offers. In Jamaica, the National Identification and Registration Act, which mandated citizens’ biometric enrolment at the risk of criminal sanctions, was held to be a disproportionate violation of privacy, and therefore unconstitutional.

Risk based Tests

Even with a valid rule of law framework that seeks to protect rights, the design and use of Digital ID must be based on an analysis of the risks that the system introduces. This could take the form of choosing between a centralized and federated data-storage framework, based on the effects of potential failure or breach, or of restricting the uses of the Digital ID to limit the actors that will benefit from breaching it. Aside from the design of the system, the regulatory framework that governs it should also be tailored to the potential risks of its use. The primary rationale behind a risk assessment for an identity framework is that it should be tested not merely against universal metrics of legality and proportionality, but also against an examination of the risks and harms it poses. Implicit in a risk based assessment is also the requirement of implementing a responsive mitigation strategy to the risks identified, both while creating and governing the identity programme.

Digital ID programmes create an inherent power imbalance between the State and its residents because of the personal data they collect and the consequent determination of significant rights, potentially creating risks of surveillance, exclusion, and discrimination. The accountability and efficiency gains they promise must not lead to hasty or inadequate implementation.

For more details visit http://editors.cis-india.org/internet-governance/blog/governing-id-introducing-our-evaluation-framework

How to Shut Down Internet Shutdowns

pranav — 2020-02-03T11:13:12Z

This talk will focus on the challenges and opportunities for research on internet shutdowns after the judgement of the Supreme Court in Anuradha Bhasin v. Union of India. Stepping beyond the judgement, there will be a wider discussion on the practice of whitelists, blocking powers of the central government.

About the Speaker

Apar Gupta is the Executive Director of the Internet Freedom Foundation.

Apar has been fighting the good fight for digital rights. While in law school almost 20 years ago, he wrote a legal commentary on the IT Act that is now in its third edition. As a lawyer in the Supreme Court, he worked on landmark cases such as on Section 66A, Intermediary Liability, Internet Shutdowns, the Right to Privacy and Privacy.

He also helped create public campaigns to advance net neutrality, reform defamation laws, fight Internet shutdowns and create a privacy statute. Apar previously ran his own successful law firm, was profiled in Outlook Magazine and listed in Forbes India's list of 30 under 30. He has also worked as a commercial litigator and partner in top law firms, written papers cited widely in local and international publications and taught courses at NLS and NLU.

RSVP here, or by sending an email Torsha (torsha@cis-india.org).

For more details visit http://editors.cis-india.org/internet-governance/events/how-to-shutdown-internet-shutdowns

Automated Facial Recognition Systems and the Mosaic Theory of Privacy: The Way Forward

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:12:38Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the third of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The Mosaic Theory of Privacy

Whether the data collected by the AFRS should be treated similar to face photographs taken for the purposes of ABBA is not clear in the absence of judicial opinion. The AFRS would ordinarily collect significantly more data than facial photographs during authentication. This can be explained with the help of the mosaic theory of privacy.

The mosaic theory of privacy suggests that data collected for long durations of an individual can be qualitatively different from single instances of observation. It argues that aggregating data from different instances can create a picture of an individual which affects her reasonable expectation of privacy. This is because a mere slice of information reveals a lot less if the same is contextualised in a broad pattern — a mosaic.

The mosaic theory of privacy does not find explicit reference in Puttaswamy II. The petitioners had argued that seeding of Aadhaar data into existing databases would bridge information across silos so as to make real time surveillance possible. This is because information when integrated from different silos becomes more than the sum of its parts.

The Court, however, dismissed this argument, accepting UIDAI’s submission that the data collected remains in different silos and merging is not permitted within the Aadhaar framework. Therefore, the Court did not examine whether it is constitutionally permissible to integrate data from different silos; it simply rejected the possibility of surveillance as a result of Aadhaar authentication.

Jurisprudence in other jurisdictions is more advanced. In United States v. Jones, the United States Supreme Court had observed that the insertion of a global positioning system into Antoine Jones’ Jeep in the absence of a warrant and without his consent invaded his privacy, entitling him to Fourth Amendment Protection. In this case, the movement of Jones’ vehicle was monitored for a period of twenty-eight days. Five concurring opinions in Jones acknowledges that aggregated and extensive surveillance is capable of violating the reasonable expectation of privacy irrespective of whether or not surveillance has taken place in public.

The Court distinguished between prolonged surveillance and short term surveillance. Surveillance in the short run does not reveal what a person repeatedly does, as opposed to sustained surveillance which can reveal significantly more about a person. The Court takes the example of how a sequence of trips to a bar, a bookie, a gym or a church can tell a lot more about a person than the story of any single visit viewed in isolation.

Most recently, in Carpenter v. United States, the Supreme Court of the United States held that the collection of historical cell data by the government exposes the physical movements of an individual to potential surveillance, and an individual holds a reasonable expectation of privacy against such collection. The Court admitted that historical-cell site information allows the government to go back in time in order to retract the exact whereabouts of a person.

Judicial decisions have not addressed specifically whether facial recognition through law enforcement constitutes a search under the Fourth Amendment or a “mere visual observation”.

The common thread linking CCTV footages and cellular data is the unique ability to track the movement of an individual from one place to another, enabling extreme forms of surveillance. It is perhaps this crucial link that would make ARFS-enabled CCTVs prejudicial to individual privacy.

The mosaic theory as understood in Carpenter helps one understand the extent to which an AFRS can augment the capacities of law enforcement in India. This in turn can help in understanding whether it is constitutionally permissible to install such systems across the country.

AFRS enabled-CCTV footages from different CCTVs. if viewed in conjunction could reveal a sequence of movements of an individual, enabling long-term surveillance of a nature that is qualitatively distinct from isolated observances observed across unrelated CCTV footages.

Subsequent to Carpenter, federal district courts in the United States have declined to apply Carpenter to video surveillance cases since the judgement did not “call into question conventional surveillance techniques and tools, such as security cameras.”

The extent of processing that an AFRS-enabled CCTV exposes an individual to would be significantly greater. This is because every time an individual is in the zone of a AFRS-enabled CCTV, the facial image will be compared to a common database. Snippets from different CCTVs capturing the individual’s physical presence in two different locations may not be meaningful per se. When observed together, the AFRS will make it possible to identify the individual’s movement from one place to another.

For instance, the AFRS will be able to identify the person when they are on Street A at a particular time and when they are Street B in the immediately subsequent hour recorded by respective CCTV cameras, indicating the person’s physical movement from A to B. While a CCTV camera only records movement of an individual in video format, AFRS translates that digital information into individualised data with the help of a comparison of facial features with a pre-existing database.

Through data aggregation, which appears to be the aim of the Indian government in their tender that links three databases, it is apparent that the right to privacy is in danger. Yet, at present, there does not exist any case law or legislation that can render such efforts illegal at this juncture.

Conclusions and The Way Forward

Despite a lack of judicial recognition of the potential unconstitutionality of deploying AFRS, it is clear that the introduction of these systems pose a clear and present danger to civil rights and human dignity. Algorithmic surveillance alters a human being’s life in ways that even the subject of this surveillance cannot fully comprehend. As an individual’s data is manipulated and aggregated to derive a pattern about that individual’s world, the individual or his data no longer exists for itselfbut are massaged into various categories.

Louis Amoore terms this a ‘data-derivative’, which is an abstract conglomeration of data that continuously shapes our futures without us having a say in their framing. The branding of an individual as a criminal and then aggregating their data causes emotional distress as individuals move about in fear of the state gaze and their association with activities that are branded as potentially dangerous — thereby suppressing a right to dissent — as exemplified by their use reported use during the recent protests in Hong Kong.

Case law both in India and abroad has clearly suggested that a right to privacy is contextual and is not surrendered merely because an individual is in a public place. However, the jurisprudence protecting public photography or videography under the umbrella of privacy remains less clear globally and non-existent in India.

The mosaic theory of privacy is useful in this regard as it prevents mass ‘data-veillance’ of individual behaviour and accurately identifies the unique power that the volume, velocity and variety of Big Data provides to the state. Therefore, it is imperative that the judiciary recognise safeguards from data aggregation as an essential component of a reasonable expectation of privacy. At the same time, legislation could also provide the required safeguards.

In the US, Senators Coons and Lee recently introduced a draft Bill titled ‘The Facial Recognition Technology Warrant Act of 2019’. The Bill aims to impose reasonable restrictions on the use of facial recognition technology by law enforcement. The Bill creates safeguards against sustained tracking of physical movements of an individual in public spaces. The Bill terms such tracking ‘ongoing surveillance’ when it occurs for over a period of 72 hours in real time or through application of technology to historical records. The Bill requires that ongoing surveillance only be conducted for law enforcement purposes and in pursuance of a Court Order (unless it is impractical to do so).

While the Bill has its textual problems, it is definitely worth considering as a model going forward and ensure that AFR systems are deployed in line with a rights-respecting reading of a reasonable expectation of privacy. Parsheera suggests that the legislation should narrow tailoring of the objects and purposes for deployment of AFRS, restrictions on the person whose images may be scanned from the databases, judicial approval for its use on a case by case basis and effective mechanisms of oversight, analysis and verification.

Appropriate legal intervention is crucial. A failure to implement this effectively jeopardizes the expression of our true selves and the core tenets of our democracy.

For more details visit http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-and-the-mosaic-theory-of-privacy-the-way-forward

Automated Facial Recognition Systems (AFRS): Responding to Related Privacy Concerns

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:09:14Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the second of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The Supreme Court of India, in Puttaswamy I recognized that the right to privacy is not surrendered merely because the individual is in a public place. Privacy is linked to the individual as it is an essential facet of human dignity. Justice Chelameswar further clarified that privacy is contextual. Even in a public setting, people trying to converse in whispers would signal a claim to the right to privacy. Speaking on a loudspeaker would naturally not signal the same claim.

The Supreme Court of Canada has also affirmed the notion of contextual privacy. As recently as on 7 March, 2019, the Supreme Court of Canada in a landmark decision defined privacy rights in public areas implicitly applying Helena Nissenbaum’s theory of contextual integrity. Helena Nissenbaum explains that the extent to which the right to privacy is eroded in public spaces with the help of her theory of contextual integrity.

Nissenbaum suggests that labelling information as exclusively public or private fails to take into account the context which rationalises the desire of the individual to exercise her privacy in public. To explain this with an illustration, there exists a reasonable expectation of privacy in the restroom of a restaurant, even though it is in a public space.

In R v Jarvis (Jarvis), the Court overruled a Court of Appeal for Ontario decision to hold that people can have a reasonable expectation of privacy even in public spaces. In this case, Jarvis was charged with the offence of voyeurism for secretly recording his students. The primary issue that the Supreme Court of Canada was concerned with was whether the students filmed by Mr. Jarvis enjoyed a reasonable expectation of privacy at their school.

The Court in this case unanimously held that students did indeed have a reasonable expectation of privacy. The Court concluded nine contextual factors relevant in determining whether a person has a reasonable expectation to privacy would arise. The listed factors were:

“1. The location the person was in when he or she was observed or recorded,

2. The nature of the impugned conduct (whether it consisted of observation or recording),

3. Awareness of or consent to potential observation or recording,

4. The manner in which the observation or recording was done,

5. The subject matter or content of the observation or recording,

6. Any rules, regulations or policies that governed the observation or recording in question,

7. The relationship between the person who was observed or recorded and the person who did the observing or recording,

8. The purpose for which the observation or recording was done, and

9. The personal attributes of the person who was observed or recorded.” (paragraph 29 of the judgement).

The Court emphasized that the factors are not an exhaustive list, but rather were meant to be a guiding tool in determining whether a reasonable expectation of privacy existed in a given context. It is not necessary that each of these factors is present in a given situation to give rise to an expectation of privacy.

Compared to the above-mentioned factors in Jarvis, the Indian Supreme Court in Justice K.S Puttaswamy (Retd.) v. Union of India: Justice Sikri (Puttaswamy II) — the case which upheld the constitutionality of the Aadhaar project relied on the following factors to determine a reasonable expectation of privacy in a given context:

“(i) What is the context in which a privacy claim is set up?

(ii) Does the claim relate to private or family life, or a confidential relationship?

(iii) Is the claim a serious one or is it trivial?

(iv) Is the disclosure likely to result in any serious or significant injury and the nature and extent of disclosure?

(v) Is disclosure relates to personal and sensitive information of an identified person?

(vi) Does disclosure relate to information already disclosed publicly? If so, its implication?”

These factors (acknowledged in Puttaswamy II in paragraph 292) seem to be very similar to the ones laid down in Jarvis, i.e., there is a strong reliance on the context in both cases. While there is no explicit mention of individual attributes of the individual claiming a reasonable expectation, the holding that children should be given an opt out indicates that the Court implicitly takes into account personal attributes (e.g. age) as well.

The Court in Jarvis further (in paragraph 39) took the example of a woman in a communal change room at a public pool. She may expect other users to incidentally observe her undress but she would continue to expect only other women in the change room to observe her and reserve her rights against the general public. She would also expect not to be video recorded or photographed while undressing, both from other users of the pool and by the general public.

If it is later found out that the change room had a one-way glass which allowed the pool staff to view the users change — or if there was a concealed camera recording persons while they were changing, she could claim a breach of her reasonable expectation of privacy under such circumstances and it would constitute an invasion of privacy.

So, in the context of an AFRS, an individual walking down a public road may still signal that they wish to avail of their right to privacy. In such contexts, a concerted surveillance mechanism may come up against constitutional roadblocks.

What is the nature of information being collected?

The second big question — the nature of information which is being collected plays a role in determining the extent to which a person can exercise their reasonable expectation of privacy. Puttaswamy II laid down that collection of core biometric information such as fingerprints, iris scans in the context of the Aadhaar-Based Biometric Authentication (‘ABBA’) is constitutionally permissible. The basis of this conclusion is that the Aadhaar Act does not deal with the individual’s intimate or private sphere.

The judgement of the Supreme Court in Puttaswamy II is in a very specific context (i.e. the ABBA). It does not explain or identify the contextual factors which determine the extent to which privacy may be reasonably expected over biometrics generally. In this judgment, the Court observed that demographic information and photographs do not raise a reasonable expectation of privacy under Article 21 unless there exist special circumstances such as the disclosure of juveniles in conflict of law or a rape victim’s identity.

Most importantly, the Court held that face photographs for the purpose of identification are not covered by a reasonable expectation of privacy. The Court distinguished face photographs from intimate photographs or those photographs which concern confidential situations.

Face photographs, according to the Court, are shared by individuals in the ordinary course of conduct for the purpose of obtaining a driving license, voter id, passport, examination admit cards, employment cards, and so on. Face photographs by themselves reveal no information.

Naturally, this pronouncement of the Apex Court is a huge boost for the introduction of AFRS in India.

Abroad, however, on 4 September 2019, in Edward Bridges v. Chief Constable of South Wales Police, a Division Bench of the High Court in England and Wales heard a challenge against an AFRS introduced by law enforcement (see Endnote 1). The High Court rejected a claim for judicial review holding that the AFRS in question does not violate inter alia the right to privacy under Article 8 of the European Convention of Human Rights (‘ECHR’).

According to the Court, the AFRS was used for specific and limited purposes, i.e., only when the image of the public matched a person on an existing watchlist. The use of the AFRS was therefore considered a lawful and fair restriction.

The Court, however, acknowledged that extracting biometric data through AFRS is “well beyond the expected and unsurprising”. This seems to be a departure from the Indian Supreme Court’s observation in Puttaswamy II that there is no reasonable expectation of privacy over biometric data in the context of ABBA, and may be a wiser approach for the Indian courts to adopt.

Endnote

1. The challenge was put forth by Edward Bridges, a civil liberties campaigner from Cardiff for being caught on camera in two particular deployments of the AFRS a) when he was at Queen Street, a busy shopping area in Cardiff and b) when he was at the Defence Procurement, Research, Technology and Exportability Exhibition held at the Motorpoint Arena.

This was published by AI Policy Exchange.

For more details visit http://editors.cis-india.org/internet-governance/automated-facial-recognition-systems-afrs-responding-to-related-privacy-concerns

Decrypting Automated Facial Recognition Systems (AFRS) and Delineating Related Privacy Concerns

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:01:48Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the first of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The use of aggregated Big Data by governments has the potential to exacerbate power asymmetries and erode civil liberties like few technologies of the past. In order to guard against the aggressive aggregation and manipulation of the data generated by individuals who are branded as suspect, it is critical that our firmly established constitutional rights protect human dignity in the face of this potential erosion.

The increasing ubiquity of Automated Facial Recognition Systems (AFRS) serve as a prime example of the rising desire of governments to push fundamental rights to the brink. With AFRS, the core fundamental right in question is privacy, although questions have been posed regarding the potential violation of other related rights, such as the Right to Equality and the Right to Free Speech and Expression, as well.

There is a rich corpus of literature, (see here, here and an excellent recent paper by Smriti Parsheera here) from a diverse coterie of scholars that call out the challenges posed by AFRS, particularly with respect to its proportionality as a restriction over the right to privacy. Our contribution to this discourse focuses on a very specific question around a ‘reasonable expectation of privacy’ — the standard identified for the protection of privacy in public spaces across jurisdictions, including in India. This is because at this juncture, the precise nature of the AFRS which will eventually be used and the regulations it will be subject to are not clear.

In Retd. K.S Puttaswamy (Retd.) v. Union of India: Justice Chandrachud (Puttaswamy I), the Indian Supreme Court was concerned with the question whether there exists a fundamental right to privacy under the Indian Constitution. A nine-judge bench of the Court recognized that the right to privacy is a fundamental right implicit inter alia in the right to life within Article 21 of the Constitution.

The right to privacy protects people and not places. Every person is entitled, however, to a reasonable expectation of privacy. The expectation of privacy must be twofold. First, the person must prove that the alleged act could inflict some harm. Such harm must be real and not be speculative or imaginary. Second, society must recognize this expectation as reasonable. The test of reasonable expectations is contextual, i.e., the extent to which it safeguards privacy depends on the place at which the individual is.

In order to pass any constitutional test, therefore, AFRS must satisfy the ‘reasonable expectation’ test articulated in Puttaswamy. However, in this context, the test itself has multiple contours. Do we have a right to privacy in a public place? Is AFRS collecting any data that specifically violates a right to privacy? Is the aggregation of that data a potential violation?

After providing a brief introduction to the use cases of AFRS in India and across the world, we embark upon answering all these questions.

Primer on Automated Facial Recognition Systems (AFRS)

Facial recognition is a biometric technology that utilises cameras to match stored or live footage of individuals (including both stills and moving footage) with images or video from an existing database. Some systems might also be used to analyze broader demographic trends or conduct sentiment analysis through crowd scanning.

While the use of photographs and video footage have been core components of police investigation, the use of algorithms to process vast tracts of Big Data (characterized by ‘Volume, Velocity, and Variety), and compare disparate and discrete data points allows for the derivation of hitherto unfeasible insights on the subjects of Big Data.

The utilisation of AFRS for law enforcement is rapidly spreading around the world. A Global AI Surveillance Index compiled by the Carnegie Endowment for International Peace found that at least sixty-four countries are incorporating facial recognition systems into their AI surveillance programs.

Chinese technology company Yitu has entered into a partnership with security forces in Malaysia to equip police officers with facial recognition body cameras that, powered by enabling technologies, would allow a comparison of images caught by the live body cameras with images from several central databases.

In England and Wales, London Metropolitan Police, South Wales Police, and Leicestershire Police are all in the process of developing technologies that allow for the identification and comparison of live images with those stored in a database.

The technology is being developed by Japanese firm NEC and the police force has limited ability to oversee or modify the software, given its proprietary nature. The Deputy Chief of South Wales Police stated that “the tech is given to [them] as a sealed box… [and the police force themselves] have no input – whatever it does, it does what it does.”

In the US, Baltimore’s police set up facial recognition cameras to track and arrest protestors — a system that reached its zenith during the 2018 riots in the city.

It is suspected that authorities in Hong Kong are also using AFRS to clamp down on the ongoing pro-democracy protests.

In India, the Ministry of Home Affairs, through the National Crime Records Bureau put out a tender for a new AFRS, whose stated objective is to “act as a foundation for national level searchable platform of facial images.” The AFRS will pull facial image data from CCTV feeds and compare these with existing records across databases including the Crime and Criminal Tracking Networks and Systems (CCTNS), Inter-operable Criminal Justice System (or ICJS), Immigration Visa Foreigner Registration Tracking (IVFRT), Passport, Prisons and state police records.

Plans are also afoot to integrate this with the yet to be deployed National Automated Fingerprint Identification System (NAFIS), thereby creating a multi-faceted surveillance system.

Despite raising eyeballs due to its potential all-pervasive scope, this tender is not the first instance of AFRS being used by Indian authorities. Punjab Police, in partnership with Gurugram-based start-up Staqu has launched and commenced implementation of the Punjab Artificial Intelligence System (PAIS) which uses digitised criminal records and automated facial recognition to retrieve information on a suspected criminal and essentially tracks their public whereabouts, which poses potential constitutional questions.

This was published by AI Policy Exchange.

For more details visit http://editors.cis-india.org/internet-governance/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns

Call for Comments: Model Security Standards for the Indian Fintech Industry

pranav — 2019-12-16T13:16:25Z

The Centre for Internet and Society is pleased to make available the Draft document of Model Security Standards for the Indian Fintech Industry, for feedback and comments from all stakeholders. The objective of this document which was first published in November 2019, is to ensure that the data of users is dealt with in a secure and safe manner by the Fintech Industry, and that smaller businesses in the Fintech industry have a specific standard to look at in order to limit their liabilities for any future breaches.

We invite any parties interested in the field of technology policy, including but not limited to lawyers, policy researchers, and engineers, to send in your feedback/comments on the draft document by the 16th of January 2020. We intend to publish our final draft by the end of January 2020. We look forward to receiving your contributions to make this document more comprehensive and effective. Please find a copy of the draft document here.

For more details visit http://editors.cis-india.org/internet-governance/call-for-comments-model-security-standards-for-the-indian-fintech-industry

ICANN Begins its Sojourn into Open Data

Padmini Baruah and Sumandro Chattapadhyay — 2016-11-12T01:17:24Z

The Internet Corporation for Assigned Names and Numbers (ICANN) recently announced that it will now set up a pilot project in order to introduce an Open Data initiative for all data that it generates. We would like to extend our congratulations to ICANN on the development of this commendable new initiative, and would be honoured to support the creation of this living document to be prepared before ICANN 58.

To quote the ICANN blog directly, the aim of this project is to “bring selected data sets into the open, available through web pages and programming APIs, for the purposes of external party review and analysis” [1]. This will play out through the setting up of three components:

Development of a catalogue of existing data sets which will be appropriate for publication
Selection of the technology necessary for managing the publication of these data sets.
Creation of a process to prioritise the order in which the data sets are made available [2].

Principles in Question

The Centre for Internet and Society firmly believes in the value of accessible, inclusive open data standards as a tool for enhancing transparency in any system. Greater transparency goes a long way towards bringing a regulatory authority closer to those who are governed under it – be it a state or a body such as ICANN. It is, in fact, an indispensable component of a multistakeholder model of governance to facilitate informed participation by all parties concerned in the decision making process.

The right to information that a regulatory authority owes those it regulates has two kinds of components. The first may be described as reactive disclosure – “when individual members of the public file requests for and receive information” [3]. The second is disclosure that is more proactive in nature – “when information is made public at the initiative of the public body, without a request being filed” [4]. The former is epitomized by initiatives such as the Freedom of Information Act [5] in the United States, the Right to Information Act in India [6], or ICANN’s very own Documentary Information Disclosure Policy [7].

Proactive disclosure policies, on the other hand, operate out of the principle that the provision of information by those in positions of regulatory authority will ensure free and timely flow of information to the public, and the information so provided will be equally accessible to everyone, without the need for individual requests being filed [8]. Proactive disclosure also goes a long way towards preventing officials from denying or manipulating information subsequent to publication [9]. Scholars have touted proactive disclosure as the “future of the right to know” [10].

At the Centre for Internet and Society, much of our research has pointed towards the direction of creating better open data standards for governments (Please see “Open Data Government Study: India”). We are one of the Lead Stewards of the International Open Data Charter [11] and have maintained that it is crucial for governments to maintain open data standards in the interest of transparency and accountability. We firmly believe that the same principles extend also to ICANN – a body which, as per its own by-laws commits towards operating “…to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness”[12].

Suggestions

While this policy is in its nascent stage, we would like to put forward certain principles which we believe ought to be kept in mind before it gets chalked out, in the best interest of the ICANN community:

To determine what data sets should be made publicly accessible, it would be useful to carry out an analysis of existing DIDP requests to understand trends in the kind of information that the ICANN community is interested in accessing, which can then be proactively disclosed. It would be redundant on ICANN’s part to disclose, under this Open Data Policy, data which is already publicly available.
ICANN should first develop a catalog of all existing data sets with ICANN, apply the principles for deciding appropriateness for publication, then make publicly available both the full catalog, and the actual data sets identified for publication. ICANN should make clear the kind of information it is not going to make accessible under this open data standards, and justify the principles on the basis of which it is choosing to do so (analogous to the exceptions clauses under the DIDP).
With respect to technology to be selected for managing the publication of data sets, free and open source software (such as CKAN) ought to be used, and open standards should be adopted for the use and licensing of such data.
Such data ought to be downloadable in bulk in CSV/JSON/XML formats.
DIDP responses and the open data work flows ought to be integrated so that all the responses to DIDP requests are automatically published in a machine-readable format as open data.
Qualitative (text of speeches, slides from presentations, recordings of sessions, etc.) and quantitative data should both be included under this new policy.

In conclusion, we would like to extend our congratulations to ICANN on the development of this commendable new initiative, and would be honoured to support the creation of this living document before ICANN 58.

Endnotes

[1] Internet Corporation for Assigned Names and Numbers, ICANN Kicks off Open Data Initiative Pilot, (November 6, 2016), available at https://www.icann.org/news/blog/icann-kicks-off-open-data-initiative-pilot (Last visited on November 9, 2016).

[2] Id.

[3] Naniette Coleman, Proactive vs. Reactive Transparency, (February 8, 2010), available at: http://blogs.worldbank.org/publicsphere/proactive-vs-reactive-transparency (Last visited on November 9, 2016).

[4] Id.

[5] Freedom of Information Act, 1966, 5 U.S.C. § 552.

[6] Right to Information Act, 2005 available at http://righttoinformation.gov.in/rti-act.pdf

[7] ICANN, Documentary Information Disclosure Policy, available at https://www.icann.org/resources/pages/didp-2012-02-25-en (Last visited on November 9, 2016).

[8] Helen Darbishire, Proactive Transparency: The future of the right to information? Working paper. N.p.: World Bank, (2009).

[9] Id.

[10] Darbishire, supra note 8.

[11] Open Data Charter, Who We Are, available at http://opendatacharter.net/who-we-are/ (Last visited on November 10, 2016).

[12] Article III(1), Bylaws For Internet Corporation For Assigned Names And Numbers

For more details visit http://editors.cis-india.org/internet-governance/icann-begins-its-sojourn-into-open-data

Centre for Internet and Society

RBI Ban on Cryptocurrencies not backed by any data or statistics

Cryptocurrency Regulation in India – A brief history

A Compilation of Research on the PDP Bill

Governing ID: Kenya’s Huduma Namba Programme

Governing ID: Use of Digital ID in the Healthcare Sector

Governing ID: India’s Unique Identity Programme

Governing ID: Use of Digital ID for Verification

Governing ID: A Framework for Evaluation of Digital Identity

Governing ID: Introducing our Evaluation Framework

Rule of Law Tests

Rights based Tests

Risk based Tests

How to Shut Down Internet Shutdowns

About the Speaker

Automated Facial Recognition Systems and the Mosaic Theory of Privacy: The Way Forward

Automated Facial Recognition Systems (AFRS): Responding to Related Privacy Concerns

Endnote

Decrypting Automated Facial Recognition Systems (AFRS) and Delineating Related Privacy Concerns

Call for Comments: Model Security Standards for the Indian Fintech Industry

ICANN Begins its Sojourn into Open Data

Principles in Question

Suggestions

Endnotes

Governing ID:  Use of Digital ID for Verification