Whenever an important action is undertaken by the Government, a part of the industry and the media is always objecting. It appears as if these companies are so used to operating without regulations in India that even a small guideline makes them feel that there is a great injustice committed.

Unfortunately, our judicial system is so sympathetic to anti-Government petitions that at the drop of the hat, a stay would be granted. Hence the Government has been rendered impotent in taking any firm decision related to IT.

For example, on October 17, 2000, India notified ITA 2000. This had a section 70 where the Government was empowered to declare any computer system as a “Protected System” and impose special penalties for contravening the provisions of the guidelines under this section. Under this section the Central Government had the power to notify any system as a “Protected System” and notify how they could be accessed, who would access etc.

On 19th January 2004, the Ministry of IT set up a division within its office and called it as “CERT-IN” to monitor the implementation of the security aspects in Government networks.

From October 27, 2009, the amended ITA 2000 became effective as per the amendments of 2008. This introduced modifications to Section 70 and also introduced two new sections namely Section 70A and Section 70B.

Under Section 70, the systems to be protected were designated as “Critical Information Infrastructure” which was defined as ” the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety”. It was a definition that could include both Government and Private Systems.

According to Section 70A, a provision was made to recognize a “Nodal Agency”  which was responsible for all measures of security including “Research” related to the protection of Critical Information Infrastructure.

According to Section 70B, the Computer Emergency Response Team (IN-CERT) was designated as the National Nodal Agency and vested the quasi judicial powers envisaged under ITA 2000/8.

Under Section 70B(4), it was prescribed that :

The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,-

(a) collection, analysis and dissemination of information on cyber incidents

(b) forecast and alerts of cyber security incidents

(c) emergency measures for handling cyber security incidents

(d) Coordination of cyber incidents response activities

(e) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents

(f) such other functions relating to cyber security as may be prescribed

It was clear that with this change in ITA 2000, it became a duty of the CERT IN which was only a department of MeitY to be responsible for national cyber security. The person in charge was also re-designated as “Director General” and he had the power to prosecute any service provider or intermediaries, data centers,  body corporate or any person who does not comply with his direction with a possible punishment of an imprisonment of 1 year and fine of Rs one lakh.

Though this power and responsibility came into existence from 27th October 2009, the CERT IN never assumed the changed role of IN-CERT and did not seriously grow out of its earlier departmental status.

On 16th January 2014, Government notified the “Information Technology (The Indian Computer Emergency Response Team and manner of Performing functions and duties) Rules 2013.

The rules prescribed  that any non compliance of directions shall be put up to a review committee consisting of the Secretary of MeitY, Joint Secretary, Ministry of Law and Justice, Officer of DOT, Joint Secretary of Ministry of Home and the Group Coordinator for Cyber Law in Meity, for necessary action.

It is not clear whether this committee has met in the past and whether  the powers envisaged under this notification has been properly exercised.

However, it is necessary for us to recognize that this data breach reporting requirement existed in law since 27th October 2009 with procedures available since 16th January 2014.

The industry which is today raising objections on the regulations notified on 28th April 2022 has not been aware of the developments of 2008 amendments of ITA 2000 or the rules notified in October 2009 or 2014. Further on 4th January 2017, a notification was again issued regarding the data breach notification where it was mandated that the Cyber Security incident reports have to be notified within a reasonable time.

Now the Government has again come up with a notification about the same mandatory requirements giving a further 6 months for implementation as if even the Government does not recognize that it has been its duty to collect the Cyber Security breach incident reports since 27th October 2009 and it has already issued many notifications for the same purpose.

The media is now raising excuses why the notification is difficult to implement. The website INC42.com which is known for its anti-Modi stand says that “India has limited Internet freedom again”.

The US-based technology industry body ITI, having global tech firms such as Google, Facebook, IBM and Cisco as its members, has sought a revision in the Indian government’s directive on reporting of cyber security breach incidents as if they are running the Indian Government and India cannot pass any law which is not acceptable to these Tech Companies.

Some of the Indian Companies who are ignorant of the ITA 2000 and the fact that this regulation has been in existence for 12 years without being implemented are raising their own objections such as “Increased Cost”, “Technical Difficulties” etc.

We would like to directly respond to some of the questions raised in some of the articles that have appeared in Economic Times and Indian Express in this regard and try to clarify the position.

Concern 1: ITI:  According to ITI Country manager Kumar Deep, Incident reporting is counter productive and may negatively impact Indian and Global enterprises and undermine cyber Security.

It appears that ITI considers data breach notification is detrimental to the interest of the country where as hiding the incidents is acceptable. Does ITI hold the same view regarding the data breach notification requirements in each of the states of US as well as laws such as CCPA, GDPR etc? If reporting under those laws are not detrimental to the interests of USA, how does the data breach notification to the Indian Government authority alone is detrimental to the interest of India?

Concern 2: ITI: ITI has raised concerns over the mandatory reporting of breach incidents within six hours of noticing, to enable logs of all ICT systems and maintain them within Indian jurisdiction for 180 days, the overbroad definition of reportable incidents and the requirement that companies connect to the servers of Indian government entities.

It is noted that the objection is incorrect to the extent that companies need not connect to the servers of Indian Government Entities. What has been prescribed is only to ensure that the time servers are synchronized.

Reporting the incident within 6 hours is only after the organization comes to know of the incident and does not cover the inefficiency of the companies which surveys state take more than 9 months to detect a breach.

Keeping log records is a routine activity which  may only require more domestic storage facilities and does not create any other issue. It is not necessary that these have to be shared with the Government on an ongoing basis. Only when an appropriate Government agency demands the information for any investigation, the information has to be shared. This is a law enforcement requirement which these Tech Companies are trying to avoid.

ITI should realize that the Tech Companies need to work within the laws of our country and cannot be considered as tools of terrorists and anti India elements.

Concern 3: INC 42: INC 42 suggests that VPNs should not be asked to keep the records of their subscribers and make it available to the Government if required. It has also objected to the extension of this requirement to Crypto Exchanges.

It is to be noted that the directives donot require the VPN hosting companies to share the content transmitted but only who is using their services. Allowing anonymous VPN services is the “Dark Web” operations of the Cyber Criminals and it cannot be supported by any law abiding country.

Concern 4: Money Control: According to the views from some experts, Money Control reports that the log retention capacity has to be newly created and hence would add to the cost. It also says that whether the companies are equipped to report such cases within six hours is questionable. Some experts have also raised the issue if they have to report every phishing mail received or attempted targeted scanning etc.

It is to be noted that reporting within 6 hours does not mean that the report should be complete with investigation, root cause analysis etc. What is required is the report that a data breach has happened. Under every law including GDPR or DPA 2021, it is envisaged that the report may be in phases and as and when more information is available, the report will be updated. However the first report within 6 hours ensures that the national body is aware of some thing going wrong in one company and it may help it plan a defence if similar incidents can occur in other companies.

What the companies need to do is to draft an email which records the data breach event the general description of the nature of the attack, its adverse impact etc. It is possible that IN CERT may actually help those companies who if they are not equipped to send an email within 6 hours will also not be capable of mitigating the  risk in 60 days . Afterall we are talking of companies who take 270 days to even recognize a data breach and call themselves as champions of Cyber Security.

As regards whether every targeted scanning has to be reported etc., companies need to define what is a “Data Breach” and distinguish it from “Attempted Attacks”. When the attempted attack succeeds then only a “Data Breach” gets recognized. The rest gets recorded in the log records and could be useful for future investigations. In case of Phishing, it is not the incoming phishing mails that become reportable unless they have been responded to leading to a data compromise. What is important is whether the Company’s identity has been used by fraudsters in their phishing attacks. If so appropriate measures need to be taken to bring down the fake servers delivering the phishing messages and provide disclaimers and notifications in their websites.

In summary we can state that the objections raised by some of the industry members through the media are unreasonable and needs to be ignored.

It is unfortunate that in all such cases, it is Naavi.org which has to come to the defence of the Government and the Government agency itself remains a mute spectator to the media onslaught to the extent that Courts also feel that there should be some thing wrong with the Government since it is not confident of itself.

The IN-CERT should come of age at least now and realize that it is not the old CERT-IN and I urge the Director General to come out with his own Press Conference defending the notification more strongly than what Naavi,org needs to do.

We are once again reminded of the story in Ramayana where Hanuman did not know his powers and had to be reminded by Jambavanta before Hanuman got the confidence to jump across the ocean. IN-CERT is also like the Hanuman who does not know its powers and has to reminded.

Naavi.org has already suggested that after the DPA 2021 is passed, the role of DG, IN CERT may get further marginalized. Just as the late Mr T.N. Seshan revived the self respect of the Election Commission, the current DG, In CERT has the responsibility to assert the role of the office of DG, IN-CERT and ensure that the interest of the office is protected.  I urge the Secretary of MeitY to facilitate this transition of CERT-IN to IN-CERT and make it a relevant body.

(Comments are welcome)

Naavi

Reference Articles:

Global tech industry body seeks revision in India’s directive on cyber security breaches

Tech companies have a few queries on CERT-In’s cybersecurity rules

India Limits Internet Freedom Again; Mandates User Data Collection For VPNs-INC42

5 issues with the recent Cert-In directions and what they mea… Mnoney Control

Why India’s New Cybersecurity Directive Is A Bad Joke… Medianama.com

Reference Circulars

CERT In Rules dated 16th January 2014

Notification of 4th January 2017

Notification of April 28, 2022

Earlier Articles at Naavi.org

CERT-In Re-issues its order of 4th January 2017

Shadow DPAI required for CERT-IN

We are aware of some companies including Microsoft, Adobe and also Graphic software companies like AutoCAD trying to bully computer users, threatening them with copyright violation and forcing them to buy licenses.

Some times this happens when a trial version of a software has been downloaded and used beyond the user forgets to de activate the software after the trial period. Companies deliberately allow usage of the software beyond the trial period and thereafter claim infringement of copyright.

In some instances employees of companies inadvertantly download software into company devices and the company gets exposed to the copyright infringement. This normally happens in small companies where the information security system is not strong.

We have discussed such issues in the past and even assisted some companies to ward off extortionist attempts by some dealers in the name of their companies.

Now it appears that a new cyber crime wave is commencing where the usual Credit card fraudsters make calls accusing “Your employees have downloaded our software and deleted it. We know everything. We will take legal action” .

The caller may refuse to indicate what evidence he has but keep threatening that they will take legal action.

After the initial threat calls the discussion veers round to payment of money which is the fraud part. In these cases, the allegation may not be true and the call may not be from the genuine company. The email if any may come from a proton mail which is not traceable. Possibility of some of the employees of the company engaged in the commission of this fraud is not ruled out.

It appears that this fraud is to extract whatever money is possible from out of this threat.  It can also run into a sequence of extortions if the organization is yielding and subsequently end up with ransom ware infection also.

One such case has been reported from Bangalore in the name of CorelDraw software

I request organizations to be careful in dealing with such fraudsters. If they send any emails in which clickable links are available saying that “Here is the evidence”… be circumspect and avoid clicking the hyperlinks because they may contain viruses.

Already several such cases have been reported in the following URLs.

https://www.kaanoon.com/305022/corel-draw-software

https://www.cybercrimecomplaints.in/thread/fraud-call-from-corel-india-corelindia-co-in/ 

The email received by the recipient includes the logos of Corel India and is in the name of Deepak Shetty as “Compliance Executive” of Corel Corporation with phone numbers + 91 88 600 865 71  and   + 91 22 6243 0743. 

Naavi.org has sought clarification from Corel India and would look forward to clarifications.

Naavi

The study of Neuro Rights Law for the purpose of developing Jurisprudence requires an understanding the neuro science as well as the technology that interacts with the neuro systems of humans.

So far we have tried to establish the relevance and scope of Neuro rights laws comparing it with the Privacy Laws. We have discussed how the definition of “Harm” under DPA 2021 can be extended to the impact of neuro modulation techniques and how the flexibility in DPA 2021 in defining “Critical Personal Information” can be extended to the “Neuro Data” to cover the “Neuro Rights” which are being discussed world over as part of the Human Rights.

In our journey to the center of the World of Neuro rights, today we shall explore the technologies related to the domain.

The Human nervous system consists of the Central Nervous system (which includes the Brain and the Spinal Cord), the nerve system that enables two way movement of signals from different parts of the human body to the brain and from the brain to the different parts of the body. The signal transmissions occur when the electrical potential in a neuron cell body (Soma) exceeds a threshold level (action potential) which emits a neuro signal that travels through the wire like part of the cell called the Axon reaching out to the different parts of the body. The end parts of the neuron cells called the Dendrites transfer the signals to the dendrites of the neighboring neurons through the area called “Synapses”. While the signal travels through the Axons, the signals are insulated by what is known as “Myelin sheaths”.

From the requirements of technology, what is important is that generation of neuro signals is created by an accumulation of electrical voltage in the cell and when it crosses the threshold of the action potential the signal is fired from the cell body through the axon to the axon terminals.

The objective of technology is to capture these signals and probably manipulate them in transmission. The technological devices working in this area may be called “Brain Computer Interface” or “Brain Machine Interface” (BCI or BMI). It can also be referred to as Human-Computer Interface or HCI

In the simple “Brain Mapping” technology, the objective  of a BCI is just to record the activity of the brain under different contexts of external stimuli. In a more sophisticated exercise, the technology can try to understand the source and destination of the signal within the human body and the nature of the actions intended which can be transmitted to the specific areas of the body to induce the actions.

The technology itself can be divided into “Non Invasive”, “Invasive” and “Semi Invasive” types.

The world of technology is also trying to create a “Virtual Brain” or the “Blue Brain” (An IBM Project) as a sequel to the Artificial Intelligence. The Blue brain can be a “Chip” that can be installed in the human brain in an invasive technique involving surgery and implantation of the chip below the skull. The “Blue Brain” can be supported by “Nano bots” which travel through our blood circulatory system carrying the information from different parts of the body into the Chip.

The Non Invasive technologies rely on electrodes that are fixed on the outside of the skull. Semi Invasive techniques will involve implanting of the chip inside the body below the skin but rest outside the grey matter of the brain.

The EEG or the Electroencephalograph is a recording of the brain activity from outside the skull using electrodes that collect the signals that can read on the surface. The resolution of the signals which can be graphically represented will have a low resolution. In comparison,

The Semi invasive technique where the sensor is within the skin but outside the grey matter of the brain within the body such as “Electrocorticography” (ECoG) provides better data collection. ECoG measures the electrical activity of the brain taken from beneath the skull in a similar way to noninvasive electroencephalography, but the electrodes are embedded in a thin, plastic pad that is placed directly above the cortex, beneath the dura mater.

In the invasive technology, probes may directly be mounted on the grey matter of the brain and be capable of observing the signals more closely. It may have the potential to observe the activity of a single neuron.

The terms such as EEG or ECoG etc are more relevant for the neuro scientists but have been provided here for the general understanding of the architecture of technology related to Brain Interfaces.

However the end objective of the technology in medicine is to create a therapeutic usage where the implanted chip can cure deceases such as loss of short term memory, epilepsy, sectoral damage of brain etc. It is to be accepted that there is a huge benefit to the society from such technology and though we may focus more on the negative aspects to discuss the “Rights”, it is not the intention of the author to belittle the scientific developments. Eventually, this technology can  create “Cyborgs” and the possibility of misuse of technology is to be flagged for appropriate security response.

In terms of technology, the system of BCI involves

a) Acquisition of digital signals

b) Transmission of signals from the collection device to a back end device for futehr processing

c) Pre-processing of signals, Feature extraction and classification

d) Application interface to input the extracted data into an application

e) Processing of the data and converting it into useful information to the society

As compared to the EEGs a similar technology exists in the form of MRI. The MRI technology observes the changes caused in blood-oxygenation levels and its magnetic impact. It is like observation of a derived impact where as the EEG is a more direct observation of the neuro activity. An attempt is also being made to use both EEG and MRI technologies together for a better understanding of the brain activity.

We shall stop our discussion on the technology aspects related to NMT (neuro modulation technology) at this point and give time to assimilate the concepts.

The objective of this limited presentation so far is to draw the attention of the computer technologists to the potential available in this segment. We may continue and expand this discussion later in our discussions.

Naavi

(PS: This exercise is an exploration of new thoughts in the journey to the world of Law, Science, Technology and finally the philosophy of human brain activity.   I invite comments and corrections to the above from other experts in the area.)

Earlier Articles

What are Neuro Rights?

Starting the journey to the Neuro Rights Law and Technology

The Age of Neuro Rights Dawns in India

New Dimensions of Privacy-Mental Privacy and Neuro Privacy Rights

At present “Privacy Right” is considered as a “Right to be let alone”. However, in practice, “Protection of Privacy Rights” is reduced to “Protection of Information Privacy” which is essentially, giving protection to the “Right of Choice” of an individual on how his/her personal information is collected, processed, stored, disclosed or destroyed.

Laws related to Privacy Protection therefore focus on “Data Protection” and prescribe how personal data is defined, how it should be collected, what are the limitations of processing, what are the rights given to the data subjects etc.

However, the emergence of technology which can interfere with the way human brain communicates with the organs of the body gives raise to a new harm threat that the “Right of Choice” itself may get manipulated.

Hence there is a need for new laws that protect the possibility of the integrity of the expression of  “Right of Choice”  to be protected. The Neuro Rights Protection falls in this domain. Though this is also referred to as “Mental Privacy”, since currently the “Right to be left alone” is also referred to as “Mental Privacy”, it is preferable if we refer to the new branch of study of Neuro Rights as  “Neuro Privacy”.

One definition of “Neuro Rights” presently used is that it refers to the “Legal and ethical principles of freedom and entitelment related to an individual’s cerebral or mental domain”.

Just as Neuro privacy differs from the “right of choice”, it also is different from the “Manipulation of a data subject’s choice” through advertising.

In “Advertising”, certain information is presented to a data subject which he perceives through his normal sensory organs and because of persistency of communication, starts accepting it as a possibility and converts it into an acceptance.

The normal principles of marketing and advertising  takes communication through the “AIDAS” stages involving “Awareness”, “Interest generation” “Desire Development”, “Availability of product” and “Satisfaction at post purchase level”.

In order to make Advertising and Marketing effective, it is necessary to know the nature of the communication recipient and what motivates him. An advertisement exposed to the general audience without market segmentation and development of communication content relevant to the audience would be a huge waste of resources. It is therefore necessary for advertisers to understand the market participants to whom the communication has to be targeted.

For this purpose all advertisers undertake profiling of the end recipients of an advertising and marketing effort which is frowned upon by Privacy activists. However, laws try to balance the requirements of business with the privacy concerns by specifying stronger procedures for obtaining an “Informed Consent” in the form of  “Explicit Consent”.

Businesses like Google and Meta are however often accused of misrepresenting and obtaining consent by unfair means and this becomes one of the main disputes that the data protection authority has to manage.

In the case of “Children” who are considered incapable of giving consent, profiling or targeted advertisements may be completely banned as in Indian law while “Parental Consent” is obtained in certain circumstances.

The “Neuro Privacy” addresses a different concern which is different from “Target Advertising”. Neuro Modulation Technology (NMT) involves changing the behaviour of the brain of a subject so that what he expresses as “Consent” or “Choice” is perhaps  corrupted with the NMT devices. Who has given the consent? Is it out of free will? becomes difficult to ascertain when a subject could be under the influence of a “Brain-Computer Interface”.

Hence there is a demand for recognition of a new set of rights under the family of “Neuro Rights”.  At present, Five different rights are being identified in this group namely

1. 1. “Mental Privacy” which is a right to control collection, storage, use or disclosure of “Neuro Data”. “Neuro Data” is collected from devices which we call the “Brain-Computer Interface” (BCI) or “Brain Machine Interface” (BMI). This would be a “specially  sensitive personal data” and can even be brought under the definition of “Critical data” under the Indian law
   2. “Personal Identity” meaning that technologies should be kept within boundaries so that they donot disrupt the sense of “Self”.
   3. “Free Will” which provides ultimate control to individuals over their own decision making without unknown manipulation from external Neuro technologies.
   4. “Fair Access to Mental Augmentation” meaning a fair access to useful mental enhancement neuro technologies on the basis of justice and guaranteed equality of access
   5. “Protection from Bias” meaning counter measures to combat bias for algorithms in neuro technology.

We are aware that the Indian data protection law (DPA 2021) does recognize “Harm” including “psychological manipulation which impairs the autonomy of the individual”, and also provides an option to define “Neuro data” as a special category of personal data which is considered “Critical Data”. With these two aspects, the current DPA 2021 may be interpreted adequately to protect all the above 5 rights.

However just as the Privacy activists were not able to accept judiciary reading down down Information Technology Act 2000/8 as a data protection Act, the Privacy activists may not be able to accept the DPA 2021 as also inclusive of the Neuro Rights Protection. Hence it may be necessary to bring an appropriate subordinate legislation or an amendment of the act in due course to protect the  Neuro Rights.

At present there are more than 130 countries having Privacy Laws but only one country with laws on Neuro Rights. We may therefore consider that it would take some time for the world to recognize the need for legal protection to Neuro Rights.

However when we look around and see the pace at which technology is developing and its destructive powers, it is better to be ready with a legislation before the technological developments go out of hand.

We have seen how the Crypto Currencies are threatening the very existence of a global economic system because we are not able to bring a law to regulate Crypto Currencies. Similarly Meta Verse as well as AI are likely to go out of control soon since there are no proper regulations to prevent their misuse. We should not make the same mistake in the case of Neuro Rights and remain complacent. It is better early than being late.

Hence we need to start using the DPA 2021 to provide coverage to Neuro Rights also even as the concept is further refined and brought  into a future legislation with a better clarity.

(To be Continued…)

Naavi

Earlier Articles

Starting the journey to the Neuro Rights Law and Technology

The Age of Neuro Rights Dawns in India

New Dimensions of Privacy-Mental Privacy and Neuro Privacy Rights

India entered the era of Cyber Laws in 2000 with ITA 2000 and  made a soft entry to data protection law in 2009 with the notification of ITA 2008 and likely to enter the field of Data Protection law in 2022. During these 20 years, Jurisprudence in Cyber Laws is under development and has accelerated in the last few years. At present we are in the process of assimilating the concept of “Cyber Evidence” and moving ahead we are trying to understand the legal principles related to Artificial Intelligence, Big Data , IoT , Smart Cars, Crypto Assets, Meta Verse etc.

It would take a few more years to understand the  anatomy of these technological developments and arrive at a generally acceptable interpretation for judicial purpose. The jurisprudence regarding such techno legal issues has to be developed by Techno Legal experts which in due course will reflect in judgements.

In the meantime, a new branch of  human rights has emerged in the name of “Neuro Rights”. It has come as an of shoot of the “Privacy Rights” and hence needs to be addressed almost immediately after the Data protection law comes into existence.

Naavi.org will try to present different perspectives of Neuro Rights in preparation for a larger discussion in due course.

“Neuro Rights” is a branch of  human rights and for the sake of definition, we can define “Neuro Rights” as that body of law that addresses regulation of technological intrusions into the human’s mental faculty. It tends to protect the “Cognitive Liberty” of an individual which is the right of a person to independently and autonomously use his/her mind to engage in multiple modes of thought.

The technologies that tend to read, modify or block (similar to the Confidentiality, Integrity and Availability principles in Information Security)  the functioning of the human brain and connected nervous system are the “Neuro Technologies”, the use of which impairs the native ability of a subject to interpret the sensory perceptions.

For example, if a tiger is in front of me and my mind is made to think and see that it is a cat, then it is an intrusion into my mind for alteration of visual perception. Such illusions with “Deep mind stimulation” has been successfully experimented with rats by electrodes implanted inside the rat. It is a FDA approved procedure and soon may be allowed against the human beings.  The topic has been extensively discussed and reflected in many movies and not far from being realized in the actual world.

In the positive sense, such technologies can make a blind person see as if he has eyes, help in treatment of sleep disorders, motor coordination problems, epilepsy, depression etc.

Hypnotism is already being used for similar results though the technology of hypnotism and the technology of Neuro Modulation are different and we shall try to differentiate between the two in some future discussions.

We are already aware of “Cochlear Implants” which enable persons with inner ear problems leading to hearing loss to regain hearing . A Cochlear implant  is surgically implanted in the body and bypass the damaged portion of the inner ear to directly stimulate the auditory nerve.

Similarly there are prosthetic limbs which sense the twitching of muscles and convert them into movements of fingers.

What these devices indicate is that it is  technically possible to interact with the human nervous system and change the sensory perceptions through appropriate changes induced in the signals reaching the brain from the organs or vice versa.  Whether this can be done through a “Near Field Communication” device or through a surgically implanted chip only is a matter to be decided by the technological developments.

Is this “Ethical”?

Is this an intrusion of “Mental Privacy”?

Does this impair the “Choice” of the human subject and render our current Privacy law based on “Opt-in Consent” completely irrelevant?

…..are issues that arise in the light of these developments.

This developments in “Neuro Modulation/Modification Technologies” (NMTs), are not like the medical implants which regulate heart functions or blood sugar discharge etc., which are IoT devices which talk to external stimuli including wifi messages which pose many serious life threatening security risks.

Manipulation of the brain activity may actually change the person himself into a different person and  pose greater danger than the “Artificial intelligence”.

It is therefore necessary for us to think if we need to quickly bind the technology developers into some sort of discipline so that they donot create monsters and escape responsibility saying that it was just a bug in the software.

This branch of law that addresses this concern is the Neuro Rights Law. It is  new branch of study which is an extension of Privacy Rights.

In terms of development of legal jurisprudence, it has taken 20 years since India introduced Cyber Law but Cyber Jurisprudence is still under development.  We donot know how long it will take for Data Protection Jurisprudence to  reach some threshold level of acceptability. But we cannot ignore that now we are entering a new era of Neuro Rights and have to develop Jurisprudence for this branch of law also.

Naavi will try to place his thoughts little by little on this topic and hopefully Naavi.org will aggregate these thoughts into some useful body of knowledge.

Watch out for more articles on this topic in the days to come.

(P.S: I am aware that I am only a student in this new domain of Neuro Rights and trying to marry the legal concepts with Neuro Science and Psychology in the process, both of which are specialized areas of medical science. Just as 20 years back I tried to develop the Techno Legal jurisprudence by bringing the law and technology concepts to support each other, and later tried to bring together the computer technology and physics concepts together, I am trying to bring together two dissimilar disciplines together by interpreting law to he way human nervous system operates. I hope the readers of this blog will appreciate the short comings in such a journey and help me take the discussions from the base level to a more sophisticated level in the next few months. )

Naavi

Previous Articles

The Age of Neuro Rights Dawns in India

New Dimensions of Privacy-Mental Privacy and Neuro Privacy Rights

India entered the domain of Cyber Laws on 17^th October 2000 with the notification of the Information Technology act 2000 (ITA 2000). Several amendments were passed on this act in 2008 effective from 27^th October 2009. These amendments gave a strong “Information Security and Data Security” posture to ITA 2000. Concepts of “Reasonable Security” and “Due Diligence” became part of the law and gave a compliance direction to the law.

With the concept of “Due Diligence”, the compliance goal post became a moving target with every advancement in technology and global laws. It was therefore possible for Courts to start picking ideas from PDPB 2019, a bill pending in the Parliament and discuss the “Right to forget” in some judgements. For the same reason, even though DPA 2021 is still a bill to be passed, it is considered as a due diligence guideline to be incorporated in the compliance framework for a company.

Despite this flexibility with which we can interpret ITA 2000 for new scenarios arising out of technological advancement, there is always a demand for law to be more specific. Hence there is a need to replace Section 43A and its notification with a whole new act-DPA 2021. There is also a demand now for a major amendment to the ITA 2000 itself to accommodate issues arising out of AI, Crypto assets etc.

While we can interpret several aspects of AI or Crypto Assets or any other technological developments including cyber crimes such as ransomware by suitable interpretation of the current laws itself, there is always a preference in judicial circles to bring a specific legal provision to bring in more uniformity of interpretations.

In this context, we can deliberate if India needs to think on “Neuro Rights Law” as a separate law or work with interpretations of ITA 2000 and DPA 2021 to meet some of the requirements related to the same.

In the DPA 2021, “psychological manipulation which impairs the autonomy of the individual” has been defined as a “Harm” and therefore the entire Act applies to any activity that could cause such a “Psychological Manipulation”. It would be interesting to see if this concept of “Psychological Manipulation” can be extended to the concept of “Neuro Rights” which primarily address manipulation of the functioning of human brains with electronic impulses.

Chile is credited to be the first Country in the world to pass a law on “Neuro Rights” in September 2021 to protect the “Mental Privacy”, free will and non-discrimination in citizens’ access to neurotechnology. The stated aim is to give personal brain data the same status as an organ, so that it cannot be bought or sold, trafficked or manipulated.

There is one view that the development of such law is a little premature since the “Neuro Manipulation Technology” (NMT) is still in its infancy.

There is no doubt that NMT has many positive applications related to medical science for treatment of Alzeimer’s decease or even impairments of hearing or vison. But the possibilities of the technology becoming another “Bhasmasura” cannot be ruled out. Today the technology of Crypto Currencies is threatening to destroy our economy. AI and Humanoids may turn into rogue applications and devices like of which are seen in today’s movies. Similarly NMT has the potential to transform the human race into a hybrid entity which is ethically and morally questionable.

So far “Manipulation” which is recognized as Cyber Crimes relate to data residing inside a computer which has a recognized owner. When data is changed without the permission of the owner, it is recognized as a “Cyber Crime”. Even our Privacy law is built on “Right of Choice” where a person opts-in or opts-out of a data collection and processing environment out of his own free will.

The thought of adding “Psychological Manipulation” as a part of “Harm” was perhaps driven by the Cambridge Analytica experience where  a powerful coordinated messaging campaign could brainwash the audience into a chosen behaviour. Inducing a hypnotic state of mind through audio suggestions and visual imagery has been effectively tried in some games such as the “Blue Whale”. The new immersive technologies like the Meta Verse have made this hypnotization techniques more sophisticated.

We have also developed and accepted technologies of “Implants” within the body which can regulate heart beatings or blood sugar. Essentially we are already intruding into the human body to interpret the electro chemical changes happening in our organs and convert them into some action. The artificial limbs technology have gone beyond attaching an extendable arm or leg to responsive hand where artificial fingers can be managed with twitches in the arm. In a way these technologies already convert muscular impulses into guiding the fingers to grab or hold an object  and otherwise substitute the normal movements of the human fingers.

The new technologies that are triggering the concern for a new law on Neuro Rights is the development of “Chips” which can be implanted on a human which will directly interact with the brain and create sensory perceptions within the brain. These sensory perceptions may be gathered from the sensory devices or otherwise.

To understand the nature of this new technology, we can look at the following example.

Let us assume that there is a computer application that requires a password for access.  In the simplest case, the password is entered into the computer in plain text and it may go to the secured application which already has a copy of the password and matches the two to open the access gates.

In a more secured method, the secure application may not store the password in plain text. The plain text password may be converted into a hash at the user’s end and the hash is presented to the application which matches it with the hash already in its store and grants access.

In such a hash based authentication system, knowing the hash of a password is sufficient to access the server since the server responds when the right hash is provided. The application may not be able to distinguish if the hash was calculated in real time after the user entered the plain text password in his computer or was replayed from a hash store. Such stored password attacks have been successfully carried out even when biometric was used though technology has now been updated to check if the finger print recognizes an underlying living hand or not etc.

The fact is that access to the secured application can be gained through the input device or directly at the entrance of the secure application.

The “Chip” method of access to the human brain involves an electro magnetic link with which the Chip may be able to communicate with the neurons of the human brain and make the brain think it is seeing some thing or hearing some thing which is not there in the physical world.

This sort of “Brain Signal Manipulation” impairs the functioning of the human brain to see things or hear things which are not real. This is a manipulation of the free will of a person and makes the discussion of “Right of Choice”  etc completely meaningless.

The legal issues that are being raised by the NMT is different from the issues arising on the Metaverse, where a person has accused another of inappropriate touch of an avatar causing mental trauma equivalent to rape in the physical society. Here the interaction is between two digital avatars in a digital platform and its equivalence to a physical society action is being debated. But here the perception of the victim is an induced feeling of the pain of the digital avatar as imagined by the victim.  It is more in the mind of the victim than otherwise but the perception of shame felt by the victim in a virtual rape of her digital avatar may be as real as the experience of the Blue Whale game player.

Philosophers may however ask what is the difference if you can see things which are not real? As long as the perception is real, it is an experience. For example if you are in the  3D Trick Art Museum in Dubai or the 7D hologram show, the perceptional experience may be as real as it can get. A person may get frightened enough to have a heart attack though the snake he sees may only be an image.

The NMT with embedded chips is much more than the current technologies such as the 7D hologram show since in these technologies, the perception is captured by the normal human eye or ear and transmitted to the brain. In the NMT embedded chip technology, the perception is created directly in the brain and hence it is indistinguishable from real experience.

Once the embedded chips can respond to WiFi signals or the technology advances to the extent that brain manipulating waves can be transmitted through air, brain hacking becomes easier and can be achieved without the need for an embedded chip and a wiring between the chip and the neuro channels within the body.

In the Indian law, under ITA 2000 there is a provision under Section 11 that any electronic record shall be attributed to the person who programs a system to behave in a specific manner. Hence the “Induced Experience” can be attributed to the person who caused the Chip to send the specific signal which induced the experience.

By combining the provisions of ITA 2000 as well as the concept of “harm” under DPA 2021 it is therefore possible to consider that “Inducing mental experiences” is nothing different from introducing a “Computer contaminant” into a computer system. Hence hacking of human brain may be equivalent to hacking of a computer.

The analogy of human brain being considered as a computer is also corroborated by the neuro science. According o neuro science, sensory perceptions travel as electrical impulses and gets transmitted from the nerve edges through the nerves to the receptors in the brain. There after the brain interprets the impulse based on its memory where similar impulses are stored earlier. The Eyes, ears, nose tongue or skin or are like input devices and the mouth may be an output device. The processing in the spinal cord may be similar to the RAM response. The arms, legs and other muscles are like various mechanical devices that may be taking the output from the brain and converting into physical actions.

In view of the above, the “Neuro Rights” in India may be exercisable even under the current laws. However, a thought process has been sown where by a debate on whether a separate Neuro rights law is required in India.

Naavi would invite thought leaders in this domain to contribute to the development of Neuro Rights Jurisprudence in India so that Judiciary can be provided with necessary guidance when required.

Naavi

Reference Article

We need to regulate mind-reading tech before it exists

A Critical perspective on Neuro Rights: Comments  regarding Ethics and law

Mind the Gap: Lessons Learned from Neurorights

New Dimensions of Privacy… Mental Privacy or Neuro Privacy Rights