Regulating the smart, to make it safe

Recent DDoS attacks using IoT devices make a strong case for regulation of smart appliances.

Last year in September when a couple of hackers wirelessly controlled a Cherokee Jeep, they demonstrated how the ‘connected’ world we live in today can become a nightmare with the proverbial ‘flick of a switch’ or as in this case by injecting malicious code in an otherwise normally functioning machine. The matter was hushed up by Chrysler after releasing a software patch for the affected model and the hackers landed a job with Uber’s Advanced Technology Centre! A case of all’s well that ends well maybe? Definitely not.

Breaking the internet, literally

Couple of weeks back, services of websites like Twitter, Facebook, Netflix, Airbnb, Reddit and The New York Times went down across the world when a distributed denial of service (DDoS) attack took down internet infrastructure provider Dyn. Investigation into the attack revealed that it was engineered by a botnet (a temporary network of ‘dumb’ devices controlled by a malicious code) created using the Mirai bot. Mirai is a program that helps attackers to search for devices over the internet that are using ‘default’ passwords, the attackers then gains access to these devices for their own bidding and uses them to send repeated requests to a target website/service provider leading it to eventually crash due to overload.

The Dyn attack is not an isolated incident as attacks using bots like Mirai have become increasingly frequent this year. In September, French hosting service OVH was targeted by a IoT botnet composed of 1,14,607 compromised digital video recorders and IP cameras, in case of Dyn this number is estimated to be of about a lakh of such compromised devices. In fact some security researchers believe that the comparatively lesser number of compromised devices used may point to this been a trial run by cyber criminals. The possibility of a more powerful attack in the future is undeniable because the developer behind Mirai has released the malware’s source code along with step-by-step instructions on how to use it in public domain.

Security in collaboration

Ideally, having seen the potential for catastrophe, the manufacturers of IoT devices should take steps on their own to boost device security. But that isn’t likely to happen as IoT devices are price-sensitive and investments in security increases costs. The competition to bring out a product into the ever crowding niche is strong enough to push security and data privacy concerns in the background. Collaboration is one of the ways forward, as shown by the Allseen Alliance, an industry group consisting of around 170 members including Haier, Panasonic, Qualcomm and Microsoft. The alliance has come up with ‘AllJoyn’, a collaborative open-source software framework that makes it easy for devices and apps to discover and communicate with each other. AllJoyn is manufacturer and OS independent, facilitating direct communication over Wi-Fi or Bluetooth protocols. If more manufacturers are compliant with these standards it will push low quality devices to be off the consumer’s choice lists. The Open Connectivity Foundation is also engaged in developing standards and certification for IoT devices. It has sponsored a project called ‘IoTivity’ whose goal is to create a new extensible, secure and robust architecture that works for smart devices globally. Adopting a ‘Security in Design’ approach for IoT devices would go a long way in preventing repeats of Mirai bot attacks in near future.

Sharing responsibility for ‘Everything’

According to Gartner, the Internet of Things is slated to reach 6.4 billion installed devices by the end of this year and would continue to grow at a phenomenal pace to reach 21 billion devices by 2020. Each one of these devices will be a node that will generate, transmit or process end user data. A very large chunk of this data will be personal in nature (health records, financial transactions, location etc.) making it a prime target for attackers with malicious intents. Fine tuning existing data collection and privacy policies is thus the need of the hour. End users will need to have control over what information to share, with whom to share and a clear knowledge of recipients of this information. Further, there needs to be active user education that makes her aware of the choices.

This should be supplemented by a shared liability regime between software developers, device manufactures and insurers. Lengthy and complex end use agreements that practically disown any liability for the developers need to be replaced with ones that actually define the liability while being user friendly in draft and execution. When manufacturers and developers own up on the legal responsibilities for security and privacy breaches it will increase end user confidence in adopting the Internet of Things.

Regulating smart devices

Lastly, governments need to work on regulatory framework to oversee this process. This would include dusting the cobwebs off ancient technology laws and aligning them with the changes in the Internet landscape. User privacy concerns and secure designing should be integrated in charters of respective standard setting organizations within respective jurisdictions. Further, the process of establishing a shared liability regime can be pushed through by legislation if market dynamics are hindering its uptake. Policy documents that address these concerns need to be widely discussed and debated in public domain. The Indian government is yet to formalize its IoT policy after it released a draft in public domain last year. The draft in its present form pays mere lip service to the aspects of data security and user data privacy. For a government looking to move towards net zero import of electronic products by 2020 under its Digital India initiative, codifying its IoT policy should be a top priority.

Openness, anonymity and the lack of government regulation are the principles that have led to the growth of the internet that we know today. But the advent of IoT has ensured that the same idealism that built the internet now threatens it by exposing it up to infrastructure crippling attacks. Standard setting for IoT devices needs to be extended as a measure of user safety. If there are standards so that devices don’t catch fire or give an electric shock to the user, would it not be right to expect devices that are not easily compromised by hackers? If we fail to do this now, then we should not be surprised if we hear about a botnet bringing down a power supply network using your smart refrigerator as a bot in the not so distant future.

This article was first published by Hindustan Times

Making one citizen, one identity, a reality

Analysis of the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Bill, 2016

Finance Minister Arun Jaitley in his recent budget speech had assured of providing a statutory backing to the Aadhaar program that this NDA government plans to use as a means to curtail wasteful expenditure on subsidies and government service delivery by using the unique identification feature of Aadhaar for identification of intended beneficiaries and targeted disbursement of such benefits. First mooted by Mr. Nandan Nilekani in 2009, the concept of using a citizen centric unique identification mechanism was embraced by the UPA government via an executive notification. However as the gamut of citizen’s personal information collected by the government began increasing there were demands to make this process more accountable and transparent in its operations.

After two failed attempts in 2010 and 2013 to establish the National Identification Authority of India (NIAI) by the UPA Government, the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Bill, 2016 presented by Mr. Jaitley provides for establishment of a Unique Identification Authority of India (UIDAI). Coming on the back of a pending Supreme Court case underway to address the apprehensions about lack of adequate provisions to protect privacy of citizens, this Bill is expected to have far reaching impacts on the way citizen’s data is collected, used, shared and protected from misuse by Government agencies.

First, let us look at how the present bill compares with the earlier bill of 2010.

The Bill while defining a subsidy as any form of aid, support, grant, subvention, or appropriation, in cash or kind, to an individual or a group of individuals provided by the Central Government, mandates that the beneficiary should furnish or enroll for an Aadhaar number while seeking benefits. However, it goes on to inform that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy or service by the Government.

The Bill draws heavily from the National Identification Authority of India (NIAI) Bill (2010) in nature and scope, but has some significant additions, primarily focused on bringing in more clarity in definitions, incorporating provisions protecting citizen data privacy and widening the scope of penal provisions for unauthorized access to citizen’s personal information. It categorizes the personal information collected from citizens in four main categories.

In an attempt to incorporate privacy principles in the legislation, the Bill mandates that the agency in charge of enrolling the citizens in the Aadhaar database is supposed to inform the citizen about how the information will be used, with whom it might be shared and the citizen’s right to access this information for making changes if necessary. As for storage of information the Bill mandates the creation of a Central Identities Data Repository (CIDR) by the UIDAI and set in place measures to ensure security of this database. The Bill also introduces the concept of ‘Requesting Agency’ i.e. the agency that collects identity information from the citizens to authenticate it against the CIDR. The requesting agency is supposed to obtain explicit consent of the individual before collecting information for purpose of authentication. Further, it should also ensure that the information is only sent to the CIDR and inform the user about how this information will be used.

The government has already been reprimanded by the Supreme Court over the possible misuse of citizen information and the lessons learnt are reflected in the various clauses of the bill. The Bill puts the entire onus of ensuring the security of citizen’s identity information and authentication records on the UIDAI. It strictly mandates that Core Biometric information cannot be shared with anyone for any reason and should not be used for any reason other than generating an Aadhaar number. More importantly, the bill has provisions against government agencies disclosing citizen’s identity information in the public domain. Interestingly, these penal provisions apply for offences committed outside India by any person, irrespective of his nationality.

There are special clauses in the Aadhaar Bill that allow for access to the CIDR through a court order issued by a District Magistrate or above after a hearing has been granted to the UIDAI in this regards. There is also a special “National Interest” clause inserted that allows for an officer above the rank of Joint Secretary to the Government of India to issue directives on behalf of the Central Government for access to information with the CIDR. Such a directive however needs  to be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology and would be valid only for a period of three months. It is expected that this is used in the rarest of rare cases and not for blanket surveillance activities.

In its present form, the Bill manages to tick most of the boxes that guarantee citizens a high degree of control over the personally identifiable information that they share with different Government agencies. It is however found lacking on the aspect of having sufficient parliamentary oversight on the operation of the UIDAI, as there is no provision for constitution of a parliamentary selection committee to appoint the Chairman of the UIDAI and the clause of having an Identity Review Committee to annually review the work of the UIDAI is missing from this bill as well. While the Finance Minister talked about putting in place ‘sun set’ clauses for all schemes announced after the Budget, this Bill does not incorporate any time lines for ensuring speedier enrollments for Aadhaar nor does it incentivize enrollment. It is expected that the UIDAI will also put in place a grievance redressal mechanism for citizens to report irregularities with their personally identified information; as such a provision is presently missing in the Bill.

While the debate at present is centered on the constitutionality of introducing the Bill as a Money Bill in the Lok Sabha, (the final decision with regards to which lies only with the speaker of the Lok Sabha), the need of the hour is to have a public debate around the various short comings of this bill. This bill will lay the foundation for including terms to secure citizen’s personal information by agencies that collect and process it. The Government should also look at introducing amendments to other Acts that permit for collection of information such as the Census Tax Act (1948), Income Tax Act (1961), Passport Act (1967) etc. and align them with the strong penal provisions in this bill.

The full text of the bill is available here.

Ensuring privacy in a digital age

Citizens are unaware of how their personally identifiable information is collected, stored, used and shared

On 28 January 1981, the European Council signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, popularly known as Convention 108. It is the first legally binding international treaty dealing with privacy and data protection. The day has since been celebrated as Data Protection Day in Europe and as International Data Privacy Day around the world. In today’s era of digitization, it is imperative that we understand the concept—and importance—of data privacy.

According to an Internet and Mobile Association of India report, India has around 400 million Internet users. This number took a decade to reach 100 million from 10 million, three years to reach 200 million and just another year to reach 300 million. The Internet is essentially a data ecosystem where every node is engaged in generation, transmission, consumption and storage of data. The scale of this data ecosystem can be gauged from the fact that by 2019, the gigabyte equivalent of all movies ever made will cross India’s Internet protocol networks every hour.

But the situation is such that while we are generating such high volumes of data—most of which is of the “identifier” type that is used to identify a person, a thing or an entity in the ecosystem—we do not have in place measures that safeguard the privacy of this data, nor regulate data retention by platforms collecting it. As a result, ordinary citizens are unaware of how their personally identifiable information is collected, stored, used and shared. Further, as governance-driven digitization (Aadhaar, digital lockers, direct account transfers) fuels large-scale sensitive data collection and storage, the Information Technology Act, with its limited scope to penalize government agencies for breach of data privacy, is the only legal instrument available to citizens against contravention of their privacy in the data ecosystem. This leaves citizens exposed—as in 2013, when the Maharashtra government simply lost the personal data of 300,000 Aadhaar card applicants.

The need of the hour is a comprehensive legislation that provides for a right to privacy as a fundamental entitlement to citizens. The groundwork for such legislation has already been laid in 2012 by a Justice A.P. Shah-headed group of experts constituted by the Planning Commission. The commission had proposed a set of national privacy principles that would place an obligation on data controllers to put in place safeguards and procedures that would enable and ensure protection of privacy rights. These include: notice (to be given to users while collecting data); choice and consent (of users while collecting data from them); collection limitation (to keep user data collected at the minimum necessary); purpose limitation (to keep the purpose as adequately defined and narrow as possible); access and correction (for end users to correct or delete their personal data as may be necessary); disclosure of information (private data should not be disclosed without explicit consent of end user); security (defining responsibility to ensure technical, administrative and physical safeguards for data collected); openness (informing end users of possible collection and utilization of personal data); accountability (institutionalize accountability for adherence to these principles).

The proposed framework aims at being technology neutral and compliant with international standards already in place to protect user privacy. It also recognizes the multiple dimensions of privacy and aims at establishing a national ethos for privacy protection, while remaining flexible to address emerging concerns. It seeks horizontal applicability with both the public and private sectors bought under the purview of privacy legislation. An attempt to introduce such legislation in Parliament failed in 2011 as there could not be a consensus on which government agencies could seek exclusion from such provisions and collect citizen data without any oversight.

Until such provisions are established by law, it will be necessary to adopt mechanisms that ensure compliance towards use of privacy enhancing technologies (PET). PETs are essentially processes and tools that allow end users to safeguard the privacy of their personally identifiable information that they willingly provide to government agencies and other service providers. PETs put the end user in control over what information to share, with whom to share and a clear knowledge of the recipients of this information. The use of data encryption and mandating multi-factor authentication for access to end user data can be examples of other PETs that can be implemented by service providers and government agencies alike.

Our government needs to start with aligning our technology laws with the evolving Internet landscape. User privacy concerns and secure designing should be integrated in the charters of respective standard-setting organizations. There needs to be active user education that makes them aware of their choices. Lengthy and complex privacy policies that practically hand over control of user data to the platforms collecting it need to be replaced with ones that are user friendly in draft and execution. Policy documents that address these concerns need to be widely discussed and debated in the public domain. Recently, the Indian government released its draft Internet of Things Policy and it devotes only one line to the need to have security and privacy standards. The policy document on Smart Cities is indifferent to these concerns as well.

Last year, the Supreme Court referred to a constitutional bench the petition seeking inclusion of the Right to Privacy under Article 21 (Right to Life). While the verdict of the honourable court is still awaited, we can take the first steps towards safeguarding ourselves by voluntarily inculcating digital privacy principles.

This article was published in Live Mint on the occasion of International Data Privacy Day

#Rewind 2015

Reviewing the important developments in Information and Communication Technology (ICT) policy space in 2015

A Supreme Judgement

The month of March saw the Supreme Court of India strike down Sec 66A of the Indian IT Act. This section was inserted as an amendment to the IT Act in 2009. It was a piece of legislature that had been bought in by the UPA government without any debate in the Parliament and defended with all its might by the present NDA government, not to mention oft abused to serve political vested interest over genuine cases of cyber-crimes. In its judgement the Supreme Court criticized the section for its vague wordings and emphasized that having clarity in definitions helps to prevent arbitrary and discriminatory enforcement of law.

The judges also observed that the possibility of application of Section 66A for purposes not sanctioned by the constitution cannot be ignored and hence rendered it void and unconstitutional. The Supreme Court however upheld the constitutionality of Section 69A that allows for blocking of content over the internet (through an elaborate procedure) and Section 79A that holds the intermediary responsible for removal of content over the platform where it is hosted. This judgement does not translate into a “freedom-to-post-anything” scenario as there are provisions in the Indian Penal Code which when read with other provisions of the IT Act can be used to punish cyber stalking, voyeurism and acts inciting religious or communal hatred.

TRAI(ing) to shoot the messenger

What followed next was a consultation paper proposing regulation of Over-the-Top (OTT) applications in India rolled out by the Telecom Regulatory Authority of India (TRAI). The vibrant debate on Net Neutrality that it spawned would never have happened without this paper. It provided a rallying point for the various stakeholders in this domain to voice their views on this issue, effectively bringing out the issue of Net Neutrality from the power lobbies to the “walls” of the average netizen in India.

The paper argued that most of the OTT applications are offered for free to the end users and market valuation of these applications is based on their large user base. Stakeholders investing in OTT service providers may push for monetizing these services in future and this may come at the cost of the customer’s interests, it is therefore necessary to bring in checks and balances that ensure adequate customer protection. The public reaction to this paper (over a million emails sent to TRAI by citizens) had the underlying message that the TRAI should work towards ensuring that the Internet remains a bastion of free speech and expression while being a market place of ideas instead of making it an aggregation of walled pockets that restrict user interaction than enabling it.

Decoding the nitty-gritty of Digital India initiative

Digital India, an ambitious project of the NDA government aimed at transforming India into a digitally empowered society and knowledge economy was launched in July. Provisioning of high-speed broadband connectivity as a utility to citizens with priority for rural areas, making government and citizen-facing services available online and digital empowerment are the stated objectives of the project. It subsumes many existing government schemes, restructures them for implementation in a synchronized manner with a focus on improvement of processes with minimal cost overheads. The main difference between Digital India and similar programmes in the past is the movement away from the sector-specific programs and towards a holistic implementation that covers the entire digital ecosystem in the country.

Right to Privacy?

In August the Supreme Court referred to a larger constitutional bench, a petition opposing the Aadhar Card (Unique Identification Program) on the grounds that collection of biometric data of the citizens is a violation of the “Right to Privacy”, implied under Right to Life (Art 21) of the Indian Constitution. The interim order had made it clear that enrolling for Aadhar Card was entirely voluntary and lack of it should not be used as a reason to exclude any citizen from receiving any benefits due. While the larger bench did rule in October that the card can be used for Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA), all types of pension schemes, employee provident fund and the Prime Minister Jan Dhan Yojana, it did not allow its use by stock exchanges and phone companies to curb financial irregularities, black money and terrorism. The case bought to the fore the pressing need of a “Privacy” legislation in the country, the contours of which have been demarcated by the Justice Shah Commission in 2012.

Decrypting the National Encryption policy

The draft National Encryption policy was rolled out by the Department of Electronics and Information Technology (DietY) in early September. The paper was a halfhearted attempt of the government to define standards for encryption of stored and in-transit data, by proposing that end users should store plain text copies of such communications for 90 days and present it to the government as and when asked for. The fact that a high-end technology like encryption found its way into public policy discourse is a commendable task unto itself. However, nature of the technology that the policy tried to regulate is very dynamic and coercive regulation may end up throttling its development and growth instead of promoting it. So strong was the public reaction to the policy that it was withdrawn by DietY in a span of less than four days. This public reaction also sent out a strong message that the government needs to work hand in hand with technologists and subject matter experts if it aims to convert good intentions into sound policy actions.

How to pay for what is “Basically Free”?

Just while the year was ending, TRAI came out with another consultation paper, seeking public inputs on the Differential Pricing for Data Services. While the fate of the first paper is still not known, this new paper aims to address the issues of differential pricing and transparency in data tariff offerings. One reassuring change in the present paper is the reference to Telecom Service Providers (TSPs) as Data Service Providers, which denotes a more holistic approach than the platform-specific approach adopted earlier by TRAI. Without directly naming Facebook’s Free Basics and Airtel’s Zero, the paper goes into detail to explain why these two models are the primary suspects under the regulator’s radar. The paper notes that in the long term such business models may create “gate keepers” out of TSPs that will be able to determine user access to content by upward or downward variations, making some content prohibitively expensive to access while some other content to be available for free.

Free Speech on the Internet

The mixed nature of events in 2015 was accentuated by the fact that while the Internet Freedom Report published by the Freedom House showed that the state of freedom over the internet in India was improving, the Facebook Government Request Report showed that India presently leads the world with a staggering 15,155 requests to remove content in 2015 (H1), up from 5832 in 2014 (H2). Around 73% of all the global requests for removing content on Facebook are from India. Whether the repeal of Sec 66A will meet its intended objective of allowing free speech on social media platforms or will the government agencies continue engaging in a covert form of online censorship on platforms that are hailed as the next frontiers of freedom of speech, will be clear in data from subsequent reports.

2016 also promises to be an exciting year in the ICT public policy discourse. The TRAI is expected to clarify its stand on the access versus neutrality debate; a policy document on the proposed regulation of cab aggregation apps like Uber & Ola is in the offing. The buzz of excitement around announcement made by Google and Facebook CEOs for free Wi-Fi on train stations and partnership in the Digital India program will need to face the realities of on ground implementation. How governments react to technological advances that move much faster than policy and legislations will define the future of the ICT growth in India.

Internet freedom report: What does it say about India?

Analysis of the Freedom on the Net (2015) Report

Freedom House, a US-based independent watchdog working in the domain of political and civil liberties, recently released its fifth annual report analyzing the global state of freedom over the internet. The report made headlines highlighting the finding that freedom over the internet in India is showing an upward trend for the second year in a row. It also put China in the position of the most oppressive nation when it comes to curtailing freedom of citizens over the internet.

A thorough analysis of the report will help us understand how governments across the globe are trying to throttle the expression of speech over the Internet, which is also referred to as the Great Leveler of the 21^st century.

What is the report about?

As the name suggests, the report is an index that measures the degree of freedom that citizens of various countries enjoy while using the internet. It measures each country’s level of internet and digital media freedom based on a set of methodology questions. Considering the increasing technological convergence, the index also measures access and openness of other digital means of transmitting information, particularly mobile phones and text messaging services. The index scores 65 countries which have been chosen to represent a mix of geographical diversity, economic development while displaying varying levels of political and media freedoms. The 2015 report is for the duration of June 2014 to May 2015.

How does the index measure “Freedom”?

Freedom on the Net is measured using an index that is compiled after scoring responses to 21 questions and 100 sub questions. These questions are divided into three categories – Obstacles to Access, Limits on Content and Violations of User Rights

What is the report about?

As the name suggests, the report is an index that measures the degree of freedom that citizens of various countries enjoy while using the internet. It measures each country’s level of internet and digital media freedom based on a set of methodology questions. Considering the increasing technological convergence, the index also measures access and openness of other digital means of transmitting information, particularly mobile phones and text messaging services. The index scores 65 countries which have been chosen to represent a mix of geographical diversity, economic development while displaying varying levels of political and media freedoms. The 2015 report is for the duration of June 2014 to May 2015.

How does the index measure “Freedom”?

Freedom on the Net is measured using an index that is compiled after scoring responses to 21 questions and 100 sub questions. These questions are divided into three categories – Obstacles to Access, Limits on Content and Violations of User Rights

Points are allotted to each question such that a lower number of points is allotted for a more free situation, while a higher number of points is allotted for a less free environment. Points add up to produce a score for each of the subcategories, and a country’s total points for all three represent its final score (0-100). Based on the score, Freedom House assigns the following internet freedom ratings:

What are the important global trends in the 2015 report?

Content removal i.e. takedown or deletion of specific webpages, blogs, videos or articles by the platform hosting it or the user uploading is taking precedence over blocking or filtering such websites/platforms. Blocking or filtering are known to be ineffective with growing use of circumvention (proxies) and encryption tools. This trend is worrying as it aims to censor content at the point of origin and puts the burden of censorship on intermediary platforms and citizens. Increasing number of requests for content removal received by platforms like Google, Facebook and Twitter are a testimony to this trend. Private service providers have to often make the hard choice between free speech considerations and business interests in the country where such requests originate. Incidences in Saudi Arabia and Bahrain are citied in the report to highlight legal actions taken against individuals for not complying with government legislations mandating take down of content.

Inspite of the public backlash against state sponsored surveillance in 2013, as many as 14 countries came up with new laws to increase surveillance over the last year. Laws that mandate ISPs to retain metadata – usually the time, origin, and destination of communications, or in some cases the actual content of internet traffic have been passed by countries under the guise of strengthening investigative capacities of law enforcement agencies. Australia, UK and Italy passed laws that increased the time duration of retention of such data, while France, after the Charles Hebdo incident has mandated installation of “Black Boxes” by ISPs that will enable governments to collect and analyze metadata from their networks. Trade in surveillance technologies is thriving in a market fueled by demand from countries like Pakistan, Bangladesh and Bahrain with credible evidence to prove their use against lawyers, activists and even politicians.

Governments all over the world are re-looking at the standards of data encryption in use for internet communication. Many countries (including India) are placing limits on the availability of encryption services. Anonymity offered by the internet is been targeted by associating it with terrorist activities and banning of circumventing and encryption tools like TOR and VPN connections from been used for communication over the internet.

The most worrying trend however, is that of increasing risk to activists. Offline punishments for online expression has seen an increase not only in numbers but also in the severity as authorities as well as criminal elements have repeatedly sought to make public examples out of internet users who showed opposition to their agenda.

What content is blocked the most around the world?

Content related to these topics is blocked the most across the world.

What does the report say about India?

India’s score has shown a drop from 42 points in 2014 to 40 in this year’s report. Also the trend of India moving up the internet freedom index has been constant for two years now. This year’s better score is single handedly attributed to the Supreme Court’s judgement that declared section 66A of the Information Technology (IT) Act as contravening to the provisions of the Indian Constitution. India also maintained her position of third largest Internet user base, behind Unites States and China. Further, the report notes positive developments in the regulatory framework, decline in the detentions for online speech and a steady increase in digital access.

India however faces an uphill task on all three criteria of the index. On the access front, while mobile users are driving the growth of India, significant milestones still need to be achieved to ensure last mile connectivity. India has one of the lowest base speeds for broadband and internet access is not available to almost 80% of the schools in the country. Plans to take broadband internet to gram panchayats through the National Fiber Optic Network have not progressed at expected pace. Language is a significant barrier to access in India, with only 12% English speaking population, lack of content in local language itself distances 50% of the population from effectively using the Internet. The success of the Digital India campaign in taking internet to the yet unconnected will be analyzed in future reports.

Content blocking still continues to show an upward trend in India, with Facebook receiving the maximum number of requests from India to block content. While section 66A was scrapped, section 69A of the IT Act and the content blocking rules framed under it were upheld by the Supreme Court. These rules bring in an element of intermediary liability that has been noted to be unfair in the report. The report cites examples of the ban on the documentary “India’s Daughter”, ban on pornographic websites and other bans imposed by the government to highlight arbitrary content blocking in India.

The situation of user rights violation is comparatively better in India. The number of cases filed for content posted online has shown a significant decline. This may again be due to dropping of charges after section 66A was rendered invalid by the Supreme Court. The complaints and arrests were for different types of social and political content, much of it for statements against politicians. The report also stats that the legal framework in India is vaguely defined and law enforcement agencies are not adequately trained on handling cases that involve cyber-bully, women and child abuse, infringement on user privacy etc.

The report applauds the vibrant public debate on the issue of Net Neutrality that happened after the TRAI rolled out a consultation paper seeking public opinion on regulation of over-the-top (OTT) applications. It stresses on the need pass a privacy legislation that keeps user interests at its core and warns about mass surveillance projects like the Central Monitoring System (CMS) and NETRA that are planned to allow law enforcement agencies to tap into various forms of communications. The impact of various blackouts in Gujarat and Jammu and Kashmir that have happened later this year will significantly dent the prospects of a better ranking for India next year.

The Freedom on the Net report for India is a one stop document for policy makers to understand issues that got public attention for violation of online freedom of speech. A detailed analysis of the report by DeitY will enable the government to understand the ground realities of an India that is rapidly ascending to the top of internet users in the world. The Government would do well to take cognizance of this elaborate research work and incorporate its findings in future policy and legal decisions.

This article was written for the Hindustan Times. The original article can be seen here.

The Wrong (U) turn

While we take the day off to celebrate the spirit of Republic that is enshrined in our Constitution, it would be apt to take a look at one of the most recent chances squandered by the Central Government to live by the same principles of the Constitution.

Early last week, the Central government filed affidavits in reply to four separate PILs in the Supreme Court challenging the constitutionality of Sec 66A of the IT Act 2000. The law officers of the government went on to elaborate that the clause in its present form was necessary as “danger was present and clear” in the wake of the dynamic nature of cyberspace and that the provision sought to “regulate” and “curb the misuse of communication devices”.

The affidavit also states that “The misuse of technology created serious law and order situations threatening the social fabric and national security”. This was augmented by stating that, “In this milieu of rapid technological advancement, even a single unlawful/illegal message or image has a potential to tear the social fabric and destroy peace and tranquility. Hence, the law enforcement agencies are always racing against the time to diffuse such situations, leading to arrests and blocking of certain websites/webpages/links in the interest of sovereignty and integrity of India, including public order.” Furthermore their justification was also hinged on the argument that countries like the USA, UK and Australia have similar legal provisions to “regulate the use of cyber space”.

While the dynamic nature of cyberspace is an inevitable reality that policy makers are yet to embrace fully, the approach chosen by the new government has turned out to be quite disappointing. The government machinery has yet again chosen to adopt a fire fighting approach towards dealing with the complex relations that social media platforms in the cloud are forging with users on the ground.

Though an acceptance of this complexity is now visible; the government is a long way from making an effort to understand it in totality. Instead of opting to train its officers towards enhancing this understanding, the government prefers having “blanket bans” as its first choice weapon. Clearly, the learnings from the social media fuelled mass exodus of north east Indians from cities like Bangalore in 2012 have been reduced to file notes.

While it is encouraging to see references made to legislative practices in other countries; (and thus avoiding re-inventing the wheel every time) this time this comparison has missed an important point. Most of the countries mentioned in the affidavit have “Right to Privacy” legislations that give citizens the entitlement to approach courts for violations of user privacy in cyber space. Further, the definitions of their legislations are not as vague as ours. Infact, the government would benefit by looking into the same legislations it is quoting, to see if they are as draconian as Sec 66 A.

What is surprising is that this approach of the NDA government is not in sync with its historical stance on the same issue. The Bharatiya Janata Party (BJP), which is the majority party of this government, had in September 2013 issued a press release from its IT Cell condemning Section 66A in its present form. The government had sent positive signals towards amending the vague provisions of the section in a conclave organized by the Law Commission of India late last year. While these assurances had bought rejoice to activists working in the domain of User privacy, the icing on the cake was a direct intervention by the PMO in December last year announcing a re-look at Section 66A.

By going back on its words the NDA government has missed an opportunity to drive home a point about it being committed to netizens who it aims to tap into for everything from designing logos to submitting ideas on better governance. By initiating amendments to Section 66A, the government could have set an example of its intentions to repeal irrelevant legislations as it had promised in its election manifesto as well. All it chose to do instead was to point out an advisory issued by the Department of Electronics and Information Technology (DeitY) in 2013 that mandates state police departments to get approval of senior police officials[1] prior to making arrests under Section 66A.

The NDA government is now moving out of its “positive sentiments” phase and into the more difficult “policy defining” phase. By harping on to UPA era arguments it is sending out wrong signals to those awaiting the “implementation” phase of its policies. Small steps like acknowledging the flaws in Section 66A could go a long way in projecting the image of citizen-centric governance over a regulation-centric one.

It would be fair to say that the onus is now on the NDA government to explain why legislations that imposes more draconian and drastic restrictions on speech on the internet than those that apply to speech offline is essential to effectively police cyberspace. While article 19(2)[2] of our Constitution allows the government to frame laws that reasonably restrict free speech, the NDA government must tell us how Section 66A can plausibly be interpreted as a “reasonable restriction”.

————————————————————————————————————————–

[1] Inspector General of Police for Metropolitan cities, Deputy Commissioner or Superintendent of Police at District level

[2] Nothing in sub-clause (a) of clause (1) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub-clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence.

Archives of the Old Wonk

---

This post is an archive of my posts published on The Broad Mind & Filter Coffee, under the Indian National Interest (INI) network of the Takshashila Institution. Also archived here is a policy advisory that I had worked on with Rohan Joshi for submission to the Law Commission of India.

Do we care about privacy?

The Filter Coffee, October 2013

In this post I argue for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System. The post also looks at Sections 69 & 69B of the Information Technology Act 2008 in light of increasing cases of “lawful” interception coming out in public domain. (Read Post)

Privacy laws and legal interception in India

The Filter Coffee, May 2014

In this post I have tried to bring together the various legal provisions (and amendments) to the IT Act that make an effort to address the concerns of user data privacy in India. It also argues for inclusion of “Right to Privacy” as a part of Chapter III of the Indian Constitution. (Read Post)

Policy Advisory – Bringing IT Act 2000 in Alignment with the Constitution

The Takshashila Institute, July 2014

This document is the authors’ formal submission to the Law Commission of India. The commission floated a Consultation Paper on Media Law in May 2014 to elicit views from stakeholders and the general public. (Executive Summary)

Store in India

The Broad Mind, November 2014

In this post I have tried to highlight the incoherent approach adopted by the Indian policy makers towards understanding the changing dynamics of a “data ecosystem” in a world that is fast embracing the “Internet of Things”. I have also proposed a four layered model to demonstrate the possible approach that can be adopted while working on a holistic policy for the rapidly evolving data ecosystem in India in this post. (Read Post)

Store in India! Part II

The Broad Mind, December 2014

This post concludes the argument presented towards changing the narrative of “India based Servers” to creating a more enabling and engaging environment so that disruptive innovations like OTT apps can thrive in India. (Read Post)

---