India is a fertile ground for misuse of AI through Fake news creation and distribution. It is expected that this would grow multiple times in the next few months and there could be an international tool kit under development to use Deep Fake videos to disturb the electoral democracy of India.
The Government is hesitating to notify the DPDPA rules which could bring agencies involved in distribution of online news under reign.
In this phase we can expect that AI created deep fake would proliferate through X, WhatsApp, Instagram and YouTube.
Simultaneously this will make any information on the Internet unreliable.
The challenge is therefore to identify what is to be accepted as credible information when it is presented online.
Apart from a notification that can be given under ITA 2000 without any further need for change of law, we urge that as a part of ethical use of AI, the following measures are initiated.
It is essential that any responsible AI developer should incorporate such codes in the software that a signature of the original developer and the licensee is embedded into a creation of an image, video or text through a steganographic inscription which cannot be altered or destroyed.
Attention of MeitY is drawn to ensure that this control is notified immediately under ITA 2000 before it is too late..
This “Genuinity Tag” should be embedded in all AI and taken note of by genuine users and AI auditors as a necessary compliance measure for AI related compliance.
A regulatory agency or an NGO should take the responsibility to “Register” genuine AI” and issue certificates of reliability assurance as a part of the AI algorithm audit.
Ujvala Consultants Pvt Ltd is in the process of developing such a registration system leading to an AI-DTS evaluation.
Yesterday, RBI also released a document namely “Enabling Framework for Regulatory Sandbox” which inter-alia attracted interest of Data Protection professionals because a reference was made about DPDPA.
RBI is a sectoral regulator and how its regulations that may overlap with DPDPA is closely watched.
Under Section 16(2) of DPDPA, which applies to Cross border transfer of personal data, it is stated that…
“Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof”.
Since RBI already has some stricter regulation regarding transfer of data by its Regulatory Entities (REs) which may be both personal and non personal, it is understood that those regulations will remain.
Under Section 17(1(b) certain provisions of Chapter II, Chapter III and Section 16 is not applicable for the processing of ” 0f personal data by … or any other body in India which is entrusted by law with the performance of any …. regulatory or supervisory function, where such processing is necessary for the.performance of such function;
However the new Framework for regulatory sand box for Fintech industry once the sand box scheme is approved by RBI, the Fintech regulatory compliance will be supported through some relaxations by RBI.
However, The sandbox entity must process all the data, in its possession or under its control with regard to Regulatory Sandbox testing, in accordance with the provisions of Digital Personal Data Protection Act, 2023. In this regard, the sandbox entity should have appropriate technical and organisational measures to ensure effective compliance of the provisions of the Act and rules made thereunder. Further, the sandbox entity should ensure adequate safeguards to prevent any personal data breach.
In the event such startups are notified by MeitY under DPDPA, Section 5, Section 8(3), 8(7) , Sec 10 and 11 of the DPDPA may be exempted.
Sec 5 is “Notice”. Sec 8(3) is accuracy and updation if the data is used for disclosure or automated decision making, Section 8(7) data retention and erasure, Sec 10 is “Significant Data Fiduciary” and Section 11 is Right to access.
A Start up working inside an RBI sandbox and notified by MeitY will have the benefits of both Section 17(1)(3) with above exemptions and the RBI exemptions as provided under the notification.
The RBI notification reiterates that RBI will manage the Fintech regulations and MeitY will regulate the DPDPA regulations. There no other special impact of the RBI regulation on DPDPA.
There is however one observation. RBI notification is currently applicable and recognizes the existence of DPDPA.. though it is yet to be notified for effect. In a way RBI is validating the effectiveness of DPDPA even today .
Yesterday, RBI issued a Draft Disclosure framework on Climate related financial risks 2024 applicable for regulated entities (REs). Comments / feedback, if any, may be sent by e-mail with the subject line “Comments on Disclosure framework on Climate-related Financial Risks, 2024”, by April 30, 2024.
The policies proposed will have cascading impact on the loan customers and hence is of interest to the industry also.
The disclosures for REs will cover Governance, Strategy, Risk Management, Metrics and Targets. The Governance, Strategy and Risk management may be rolled out from FY 2025-26 on wards for Banks and top layer of NBFCs. Metrics and Targets may be rolled out in the following year. For ban cooperative Banks the roll out may be deferred by an additional year and for others, the dates need to be announced.
Since the risks of Banks and NBFCs are related to those of their customers, the REs will have to collect information and impose norms for their customers in terms of not only Governance, Strategy and Risk management, but also the Metrics.
The discussion on AI and climate change appears relevant in this context since the customers who are users of AI may be required to disclose information to the investors and who in turn have to submit the consolidated information to RBI.
It is observed that some time in 2023, an idea was adopted by ISO that Standard developers should incorporate and demonstrate their concern for Climate change while arriving at the standards. Accordingly ISO-Guide 84:2020 was also released. It appears that this requirement is being now added mechanically to all standards without justifying its relevance.
Accordingly, a standard like ISO 42001 meant as a Requirement Standard for Artificial Intelligence Management System (AIMS) in clause 4.1 (Understanding the organization and its context) adds a component “The organization shall determine climate change is a relevant issue”.
When a company implementing an AI or developing an AI and looking at this document for guidance and possible certification would wonder what its use of an AI algorithm has to do with “Climate Change”.
While we consider that this clause has crept into the standard following the blind implementation of a norm without considering the proportionality of the impact of such a suggestion, we still open up for debate this requirement in the context of some recent revelations on the climatic impact of the AI systems particularly using LLMs.
LLMs are the first AI systems adopted by most companies and hence the climatic impact of LLMs becomes a relevant case for certification of ISO 42001.
In India discussions have taken place on water consumption by Companies like Pepsi or Cocacola but the dimension of Water and Energy Consumption by AI systems both for development and usage makes one to sit back and think if there is a need to decelerate the growth of data centers to conserve water and energy resources.
An article published by associated Press recently quoting the 2022 information suggested that Microsoft’s data center water use increased by 34% from 2021 to 2022. The company slurped up more than 1.7 billion gallons, or 6.4 billion liters, of water in the previous year, which is said to be enough to fill more than 2,500 Olympic-sized swimming pools. It was a similar story with Google, which reported a 20% spike in its water consumption over the same timeframe. It is anybody’s guess what would be the situation in 2024 with ChaptGPT 4/5 and Bard/Gemini being in use.
A time has come for ISO 42001 auditors (Ed: Audit of ISO 42001 may perhaps be required to be done like ISO 27701 along with ISO 27001) to ask the question to their auditee organizations if it is possible to ignore the climatic impact of use of AI when an AIMS audit is undertaken.
The current discussions on regulation of AI is normally around Job loss, Human brain degradement, Explainability,Accountability, Bias control etc., but not very much on the climate impact or related issues such as carbon foot print. The EU act on AI may require that the “High Risk AI Systems” may be required to report report their energy consumption resource use and other impacts throgh out their systems life cycle.
India has to also incorporate this aspect in its proposed AI regulation. A Yale university report mentions that in Chile and Uruguay, protests have erupted over planned data centers that would tap drinking water reservoirs.
There was a time when Indian Government would run TV ads on “Stop the tap when you are shaving”. Now the new generation ads will be “Dont make a query in Chat GPT if you donot need it”. Probably water conservation should become part of the IT industry’s responsibilities.
We donot know if the recent drinking water shortage in Bengaluru city has any origin in the increased use of AI !
On October 27, 2009, Government had issued a notification under Section 69 of ITA 2000 titled Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
This rule had a clause 23 which stated as under:
Destruction of records of interception or monitoring or decryption of information.—
(1) Every record, including electronic records pertaining to such directions for interception or monitoring or decryption of information and of intercepted or monitored or decrypted information shall be destroyed by the security agency in every six months except in a case where such information is required, or likely to be required for functional requirements.
(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complain or legal proceedings, the intermediary or person in-charge of computer resources shall destroy records pertaining to directions for interception of information within a period of two months of discontinuance of the interception or monitoring or decryption of such information and in doing so they shall maintain extreme secrecy.
Now the current gazette notification states as under:
The Indian express commented that the rules have been amended to broaden the powers of the centre to issue directions to destroy digital evidence and to allow the home secretary or other bureaucrats to issue directions to destroy digital records.
On a proper reading of the rule it appears that the insinuations of the Indian Express (which no doubt will soon be echoed by the Anti Government media) is wrong. The rule suggests that the power to remove the information collected during an investigation process shall not be exercised by the security agency but by the authority which actually gave the permission or had the power to give permission for the monitoring. This is logical and appears to correct the possibility of misuse of the authority by the security agencies.
Under the rules, powers had been given exclusively to a “Competent Authority” to carry out the interception or monitoring or decryption of information. Any agency other than the “Competent Authority” indulging in such activity would become an “Unauthorized access” under Section 66.
To take care of unavoidable circumstances, it was provided that such orders may be issued by an officer not below the rank of a joint secretary duly authorized by the competent authority.
It was also provided that in case of emergencies and in remote areas where the obtaining of the permission from the “Competent Authority” or the “Designated Officer” was not feasible, the interception etc may be carried out with the prior approval of the Head or the second senior most officer of the security and law enforcement agency (hereinafter referred to as the said security agency) at the Central level and the officer authorised in this behalf, not below the rank of the inspector General of Police or an officer of equivalent rank, at the State or Union territory level;
In all cases where the delegated authority was exercised, such enforcing agency (Designated officer or the police officers etc) were required to inform in writing to the competent authority about the emergency and the action taken within 3 working days and obtain approval. If the approval was not available for 7 working days, the action of monitoring etc was expected to be terminated.
What the recent amendment states is that where such monitoring has commenced and certain data has been collected, the destruction of such data shall be done only with the instructions of the competent authority and not the security agency.
In other words, the security agency which is given the emergency powers to collect data is not permitted to play with it and destroy it when permission is denied by the competent authority.
This is therefore for “Preserving digital evidence” and not “Destroying digital evidence” as the news paper reports.
It is unfortunate that certain reporters of the media and the media themselves are ignorant and look at any action of the Government with coloured ideas. They must admit their ignorance and provide clarification. Otherwise this will be a “Fake News”.
I will not be surprised if this issue is taken to Court and some ignorant Judge perhaps in a High Court passes an order to stay the notification. A similar incident happened when Mumbai High Court gave a split verdict in the case of “Setting up of “Fake News Alert” by the Government to protect fake news about the Government being spread by the vested interests. The Court failed to understand the implications of the proposed amendments and the limited role of PIB in the context and declared that it was a freedom of press issue. In the past, in the celebrated Shreya Singhal Judgement Supreme Court itself displayed ignorance and gave a faulty judgement considering “Publication” as equivalent to “Messaging”.
I hope the news reporters understand such issues before they report.
One possibility is that State police in some occasions might have collected some investigating details using the powers under Section 69 of ITA 2000 and may like to destroy it before the NIA takes over the investigations. Such issues are now common in many states where there are opposition Governments. This amendment prevents the State level agencies exercising the powers as an emergency and later destroy the data if it is inconvenient to them. The amendment therefore has to be welcome as tightening up of the rules.