Nip this Apple air-pod in the bud.

The article published yesterday about “Digital Marketing” and its future in the society increasingly becoming sensitive to Privacy issues has evoked a few responses from other professionals.

One such response worth noting is the linked in article “Neuro Data, Capitalism & Privacy Regulation” by Deepti Bhatia. (Incidentally Deepti is the President of Delhi Chapter of FDPPI).

In this article, Deepti raises many issues requiring further debate. We shall take one issue issue raised in this article for discussion today and that is the “Apple Patent on a Bio sensor embedded air pods”.

We have discussed “Neuro Rights” extensively in this website in the past and highlighted how Brain Computer interfaces, Humanoid Robots and CyBorgs with AI could transform the society in directions that may not be desirable. In such discussions, we have factored the raise of technology in neuro science which can read brain waves either through electrodes fixed on a skull cap or a chip embedded surgically inside the human skull.

In using such devices there was a “Technology Barrier” that would restrict the wide use of such technologies.

However Technology has now progressed alarmingly with Apple applying their skills to develop a wearable which can perhaps read brain waves and claiming a patent.

The US patent number US20230225659 titled “Biosignal sensing device using dynamic selection of electrodes” is a dangerous patent that makes the common discussions on “Deceptive Privacy Invasion techniques through Dark Pattern” look absolutely childish.

This device is being designed as “Airpods” looking just like normal airpods and hiding all the electrodes that make the earlier devices clumsy.

Further the Apple device can be used for deceptive marketing since it can capture signals such as brain waves, muscle movements etc. It can be much more than the wearables like the Watch and interact directly with the brain activity to read the “Neuro-data” generated by the humans.

The background of the invention states:

Brain activity can be monitored using electrodes placed on the scalp of a user. The electrodes may in some cases be placed inside or around the outer ear of the user. Measuring of the brain activity using electrodes placed in or around the outer ear may be preferred due to benefits such as reduced device mobility and decreased visibility of the electrodes when compared to other devices that require electrodes to be placed on visible areas around the scalp of the user…”

In this context the invention is designed as a wearable where the electrodes are invisible. Hence this is eminently suited for deceptive marketing and taking over of human brain activity through remote influence exercised on the human brain.

Imagine that a person wearing this airpod is taking a buying decision. The airpod server knows the buying intention and can broadcast it to vendors who can instantly bid for neuro messages to be sent to influence the purchase in favour of one supplier over the other. This would be like the dynamic advertisement that would be displayed when you search for a product on google.

The society should recognize the potential for misuse of this technology and take steps that such technologies are killed in the bud.

I urge Indian law makers and particularly Mr Rajeev Chandrashekar (expected to be back as IT Minister) to ensure that this AI device should be banned for sale in India or made subject to very strict licensing.

The IPR authorities should also re-consider if they should provide IPR protection to such devices.

In most of the new Privacy laws, IPR is always respected and granted an exemption. But the time has come to put reigns on IPR through other laws. Forget the international treaties on IPR, it is time to reign in IPR laws in preference to laws that are meant to protect the human society.

Let us remember that Technology can be disruptive but not destructive.

Naavi

Refer also:

Wearable system for bio signal acquisition and monitoring…

Posted in Cyber Law | Leave a comment

How Will Digital Marketing Survive DPDPA?

One of the industries which is directly under threat of survival after DPDPA is the “Digital marketing industry”.

Marketing requires understanding the consumer’s buying behaviour and creating a communication that convinces the prospective customer that a given product or service satisfies the requirement of the consumer.

The principle of AIDAS namely, Creating Awareness, Generating Interest, Eliciting a Desire, making the product available and achieving satisfaction in the post sale scenario is the formula for successful marketing of any product or service.

If Marketing does not exist, then the products and services will wither away.

An excessive importance to placing restrictions on Consumer Marketing will eventually increase the cost of the product which will fall on the consumer. If the consumer is vary of bearing this cost, he will reject all offers other than the existing brands about which he already has some information. This means that “New Products” and “New Companies” will have a tough time to promote their existence.

Have we as Privacy professionals thought about the difficulties in “Profiling” and “Targeted Advertising” that any privacy law considers as abhorring?

Has the Digital Marketing Industry thought of how they will survive the post DPDPA scenario in India? . If they try any tricks to hood wink the consumer, they may be accused of practicing “Dark Patterns”. If they are too open and ask for consents, they need to be ready for about a response which will be not more than 1% .

If we look at the responses for “Pay Per Clicks” advertising vs “Banner Ads” and the responses in specific sites like Linked in vs advertising in Blogs we will understand that the Clickthrough rate for social media is around 1.36 % (Q2 2023 statistics). This is for a product which is advertised. If we consider “Request for Consent” as an advertisement, then the click through could be even less.

This means that to get 1 consent, an organization may have to spend cost of 100 notices. Currently the “Privacy Policies” as a “Declaration” does not require a specific consent.

This scenario is an existential threat to Digital Marketing Companies.

As consultants it is difficult for us to either advise an organization to ignore this risk or to provide a suitable compliance solution.

Unfortunately the Digital marketing industry and Internet advertising industry in India has not woken up to the problems and designing a sectoral approach to counter the business risks.

I invite industry professionals to write back and let us know what can be done in this aspect.

Naavi

Posted in Cyber Law | Leave a comment

Posted in Cyber Law | Leave a comment

Why DGPSI is the Gold Standard of Compliance to DPDPA?

India has been discussing the Data Protection Law for last several years and finally arrived at the DPDPA 2023.

The act has been notified with Presidential approval but the notification of an effective date and some rules are pending. We hope this is within the 100 days agenda of the Modi 3.0 Government.

We donot know how generous would be the Government in giving time for implementation. At the same time we also donot know how much time each organization takes to be compliant. However one thing is certain, any organization which starts early is likely to meet the dead line more effectively than others who keep procrastinating.

A question however arises how can any organisation starts compliance program before the rules are notified.

It is true that the rules can make a difference to the compliance program. But a large part of time consuming compliance activities are already identified and we donot need any mor clarification.

It is in this context that the framework DGPSI (Data Governance and Protection Standard of India) which has been designed and developed by Professionals of FDPPI emerges as the Gold standard of DPDPA compliance.

For those who donot know DGPSI, it is time to make efforts to know DGPSI Lite and DGPSI Full versions of framework that meets the compliance levels expected in the Act and ready to meet the needs of the emerging rules.

In fact during DGPSI implementation, accredited auditors of FDPPI use procedures which would be more than sufficient to meet the requirements of the rules.

The probability of compliance to the rules is extremely high if one follows the DGPSI framework and the manual of DGPSI implementation.

We are sure that there will be other frameworks which will come forth from different organizations but DGPSI shall remain the Gold standard since it is future ready and adaptable.

It is not enough if Naavi says that DGPSI is the “Gold Standard”.  You need to check and be  satisfied.

I invite professionals to raise any questions they have on DPDPA compliance and how DGPSI addresses it and we will be happy to answer each one of them. 

Naavi

Posted in Cyber Law | Leave a comment

Chief Concerns regarding DPDPA Rules

India that is Bharath is waiting for the elections to be over and for Mr Modi to come back with a thumping majority. The DPDPA 2023 which was notified with presidential assent needs to be activated within the 100 days plan for which we wish that Rajeev Chandrashekar will be back as the IT Minister.

We can expect that just as the work in progress rules was leaked some time back some body in MeitY is working on the rules.

It is our duty to bring to the notice of the team working on the rules some of our concerns and suggestions.

As per Section 40, at least 25 new rules need to be formulated. Out of these the following 5 rules appear to be of key importance. We would like to propose our suggestions regarding the above.

Legacy Data:

Since it is expected that a large number of legacy data principals may not be reachable and may not respond to the new notice, the rules should prescribe the “Reasonable Period” after which the permission is deemed as “Withdrawn”.

The Act now simply states…

“the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.”

This is not in consonance with the spirit of the Act and it cannot be construed that the data can be used for an indefinite period under the excuse that the data principal did not withdraw the consent. It will also be in conflict with the obligations under Section 8(3) to ensure that the data used for processing is “Complete” and “Accurate”.

Also the principle under ITA 2000 is that any privacy policy needs to be renewed not later than one year which therefore becomes an expiry period for the consent in the absence of any other parameter.

The period of 1 year however appears unreasonable in the context of DPDPA 2023. A more reasonable period has to be prescribed and in our view it should not be more than 3 months.

Significant Data Fiduciary

The definition of “Significant Data Fiduciary” could be by far the most important rule to be notified and it is necessary that the Government thinks seriously of the suggestions made in our precious article.

The essence of this suggestion is that the “Tag of Significant Data Fiduciary” is not to be associated with an enterprise as a whole but to specific processes. Under DGPSI, we group processes based on the sensitivity and this should also determine the Significant Data Fiduciary status.

The operating part of the suggestion is to add the following explanation in the rules:

“The term ‘class’ under Section 10(1) of the Act for the application of this rule also applies to any class of personal data process/es that an entity may use where the risk, sensitivity and volume of personal data processed exceeds a specified threshold”

Nomination

If “Nomination” is considered as “Transfer of ownership of an asset on the death of a person” and applied to personal data as a property, then it will be difficult for the Data Fiduciaries to obtain consent through electronic means. We are aware that law does not consider “Nomination” as “Transfer of property” and hence the rights of legal heirs is not affected by the presence of nomination in favour of a person who is not a legal heir. However common people may not be aware of this and may consider “Nomination” as “Bequeathing of property”. If this concept is recognized then electronic consent form cannot be used to register “Nomination” because of Section 1(4) of ITA 2000.

To honour the legal principle that “Nomination” is a procedural convenience adopted by an asset owner to transfer the property to a trusted agent of the property owner for further transfer to legal heirs, an explanation needs to be added as follows.

” Nomination for the purpose of Section 14 of DPDPA 2023 means transfer of custody of personal data and associated digital property in the hands of a data fiduciary to a person designated by the data principal for eventual distribution to the legal heirs. The data fiduciary shall be considered as discharged from his liability of disposal of the digital assets if the custody is properly handed over to the designated nominee”.

A separate procedure for claim settlement can be prescribed for this purpose (Refer to earlier articles in Naavi.org on digital data of deceased.

Consent Manager

The definition of “Consent Manager” is another area where the Meity may be stuck to their current DEPA framework and needs to think differently. This aspect has also been discussed by Naavi.org earlier and a case has been made out that “Consent Manager” under the Account Aggregator concept is different from the “Special Data Fiduciary concept of a consent manager” used in DPDPA. There is also a need for a very strict application of “Fit and Proper” criteria for registering Consent Managers.

If this aspect is neglected, we can see a major scam of theft of personal data for which the negligence of rule makers would be responsible.

Data Auditor

The rules regarding the credentials of a “Data Auditor” is another area of concern where vested interests can play havoc.

I would welcome Meity to introduce its own accreditation of Data Auditors through an open examination and should refrain from using the terms “All Cert In Accredited Auditors shall be considered as deemed to be qualified to be data auditors under the DPDPA 2023”.

Meity can use the guidance available under FDPPI’s C.DPO.DA. Certification course or DGPSI as a framework to structure the accreditation examination for Data Auditors.

The model adopted by MCA in accrediting Independent Auditors or the Law department in accrediting Patent lawyers can be followed for this purpose. The essence of these models is that the Government has a certain norm of an examination and trainings are conducted by different private bodies and not restricted to any one agency as a “Deemed Expert”.

Naavi

Posted in Cyber Law | Leave a comment

Psychological impact on Children from AI teachers

A trend is developing where some schools are using humanoid robots in teaching. While there is no doubt that the humanoid robot can be a store house of actual knowledge particularly in our educational system based on a specific curriculum and examination pattern based on learning from text books, the psychological impact of a machine teaching an young mind is perhaps needs to be researched.

If there can be a psychological impact of lack of biological parents for abandoned children, adopted children, single parents etc, there is a possibility that the teacher being non-human may also have its own impact psychologically on the children which perhaps may become evident not now but after another decade.

Do children look forward to an emotional support from the teacher apart from guidance on the topic? A study can be made in schools while some teachers are more popular with the students than others and why some students thrive better under one class teacher than the other.

While I am not inclined to go into the details of how a student may feel being taught by a robot instead of a human teacher as it is a core psychological subject, as some body observing the development of technology and its effect on the society, I am uncomfortable with the impact that the humanoid teacher may have on the development of a student particularly in the primary and middle educational level.

Many of the students are actually averse to learning and only when the teacher presents the concepts interestingly in the form of exercises, activities etc., are able to learn. Will a robot be able to perform similarly?

Can the robot express empathy and understand from the look of the child that today his/her mother must have scolded him or he has some other concern on the back of his mind and is unable to focus? It is doubtful that except a sentient robot others may not be able to come any where near the experience of learning from a human.

Further students in class learn not only about the subject but also about life. In this respect only a human teacher can evoke empathy even in the student who can see his mother in the form of teacher which is unlikely to happen in the case of a humanoid robots.

I wish some psychology student does a research on this subject and come up with some insight on this topic.

Naavi

Posted in Cyber Law | Leave a comment