Naavi.org

The IAB (Interactive Advertising Bureau) which has a membership comprising of more than 650 leading media companies, brands and technology firms having a stake in Digital Marketing has come up with a framework for compliance with CCPA and released it for public comments.

The framework is open for public comments till 5th of November.  The framework is intended to be used by those publishers who “Sell” personal information and the “Technology Companies that  use the sold personal information”.

In the digital marketing world there are “Publishers” who publish advertisements on website and some who use other means such as E Mail marketing to publish advertisements. The product marketing  companies place their “Advertisements” in appropriate publishing channels.

Some of the publishers may occasionally use the services of intermediaries who identify target audience to whom a message can be advertised. These intermediaries collect personal data by their own means and then filter them into different categories and make it available to other publishers. There is a “Profiling” activity involved in this process which falls under the different data protection regulations.

The publishers may also be benign publishers who donot use “Targeted Advertising” on their platforms and therefore donot have responsibility for the profiling. In such cases the publishers may be simply be “Advertising Platforms”. In Indian law they will be legally “Intermediaries under Section 79 of ITA 2000”.

The difference between the “Target identifier” , “Publisher” and “Advertising platform” depends on the extent of control they exercise on the collection and processing of personal data.

For example, naavi.org is a platform on which Google Ads is the publisher, Amazon may be the advertiser. The dividing line between the Publisher and the Platform is thin. But since Naavi.org does not decide on what ads are to be presented and Google Ads is the Ad serving company taking that decision, Naavi.org becomes only a platform that lends part of its space to the Google Advertising.

The Google Ad network may sell advertising space from its clients on a Real time bidding (RTB) under which advertising inventory is bought and sold on per impression basis via progammatic instantaneous auction. The algorithm used for such advertising may incorporate profiling of a visitor to a website as well as use of AI. The platform may not have much knowledge of how the ads are chosen except to prohibit certain types of contents.

The IAB framework provides guidelines for the publisher and the advertising company on how to handle the personal data.

The “Framework” envisages that any company that engages in or supports an RTB transaction may sign the “IAB Limited Service Provider Agreement”.

The framework participants includes

a) Owners of publisher digital properties ((e.g., publishers of web pages and retailers with advertising on their sites or apps, that, in each case a California consumer (a “Consumer”) visits)

b) Downstream Framework participants(e.g., Supply side platforms or SSPs, Demand side platforms or DSPs, ad servers, and agencies)

c) Owners of Advertiser Digital properties (e.g., brand entities that also
operate/publish a web page)

d) Downstream Framework participants who receive personal information about a consumer that originates from the advertiser digital property.

The framework applies to RTB transactions involving the “Sale” of Personal Information only when all the participants in a transaction are “Framework Participants”. The digital property can however opt out of the framework. However, when the Digital Property utilizes the Framework, it will be contractually required to send the bid request and accompanying personal information only to other Downstream Framework Participants. Additionally, when a Downstream Framework Participant receives the bid request from the Digital Property, it will be contractually required to confirm that its counter parties are Framework Participants by using the Signatory Identification Solution and pass the bid request and personal information only to Framework Participants.

The guidelines cover the information to be provided to the individuals who allow their personal data to be sold through an Opt-in process, the display of “Donot Sell” button and how to handle the “Donot Sell Requests” of a person who has earlier provided a consent for selling. The framework suggests that the “Service Contracts” between the Publisher and the advertiser has to accommodate the change in consent.

Digital properties who send the signals for RTB to a participant cannot onward sell the personal information without an “Explicit Consent”. The digital property must include a “California Explicit Notice” link near te “Donot Sell” link. A sample “Explicit Notice” is also provided in the guideline.

Under CCPA, When a Consumer opts out,  it does not bar the collection of personal information or the delivery of a personalized ad but, rather, bars a “sale” of personal information related to the delivery of a personalized ad. Hence the downstream framework participants become “Limited Service Providers” on behalf of the digital properties.

The guidelines also provide technical frameworks to be used in the specified cases.

In a way, it appears that IAB is trying to set up some industry standards applicable to the participants of the framework.

The reaction of the industry needs to be watched.

Naavi

Google has claimed a breakthrough in Quantum Computing and has stated that they have successfully tested a 54-Qubit processor named Sycamore that has processed the number of computations that takes the fastest known classical computer about 10000 years to process in just 200 seconds.

Refer here: Quantum Supremacy using programmable superconducting processor

The research team at AI Quantum has built a programmable high fidelity “Quantum Logic Gates” which performed the computations.

The Sycamore processor comprised of a two dimensional grid where each qubit was connected to 4 other qubits.

According to the scientists the Sycamore quantum computer is fully programmable and can run general purpose quantum algorithms. According to them, this breakthrough has created the first widely useful quantum algorithm for computer science applications with “Certifiable quantum randomness”.

Going forward the scientists will be trying to find valuable applications in quantum computing. The processors will also be made available for further academic research for development of appropriate algorithms, design new materials, new catalysts, more effective medicines etc.

Though Quantum Computing based on the principles of Physics is still Greek and Latin for most, it appears that the days of Quantum Computing at least in scientific research is nearer.

Naavi

An interesting hypothetical case was referred to me today on the acceptability of the Section 65B certificate and its impact when a person forges a document, scans it and presents a section 65B certified print copy of the scanned document for admission in a Court.

The query is that ” If the original is not required to be presented”, then the forged document becomes admissible and it becomes difficult to prove the forgery. Therefore does it put the person who is disputing the forged document in a difficult position in law because of Section 65B?

The query is interesting. I am presenting my views on the query and be happy to receive other views.

The answer to the query requires application of both Section 65B interpretation as well as appreciation of paper evidence. Hence it is complicated.

In a practical situation, the presenter of the Section 65B certified Computer output (Presenter) may present the computer output in paper form or in electronic form. If it is in electronic form and in good resolution, the image can be viewed by the signature verifier and a view can be taken just as we verify an ink signature on paper though some of the parameters of verification such as the ink absorption on paper, overlapping, pressure may become little difficult on the scanned image. But parameters like “angle”, “Size”, “Strokes” “The dashes and dots” etc are visible even in the scanned image. A good signature verifier can take a reasonably accurate view of the forgery.

However if the image is of low resolution or it is presented in a print form with unclear printing, then verification is as challenging as when we have a thumb print on paper with smudges.

Normally, a signature verifier refuses to provide a positive opinion unless the image is clear enough and this will apply to a “Verifier of an image of a signature in electronic form on a scanned document”.

It is necessary for us to appreciate that admissibility of electronic document based on the Section 65B certificate is a matter which is different from admitting the signature of a person in the document which is scanned.

In the case of a paper document, if a person produces a forged paper, the signatory is not objecting to the content per-se but only to the signature. It is quite possible that he may say, I am aware that this document was given to me for signature but I refused to sign. Hence “Admission of the document” as evidence does not automatically admit the “Signature within”.

When a signed document is presented by one party and it is challenged as a “Forgery”, it is the responsibility of the presenter to produce additional evidence including the handwriting expert’s opinion to prove the signature. Similarly, in the case of the Section 65B certified document also, though the document as a whole is admitted as evidence at the request of the presenter if the Section 65B certificate is satisfactory, the Court may still expect the presenter to prove that the  signature as it appears is that of the person to whom he is attributing it to. This means that the onus of getting a handwriting expert to confirm the signature lies with the presenter.

If the document is unclear, the handwriting expert may refuse to give a conclusive proof. If he gives a negative report and the document is section 65B certified by a person who is not a “Trusted third party”, then the certifier needs to have a credibility of his own as otherwise he may be charged for perjury by the Court.

A professional Section 65B certifier will not certify a doubtful document and take this risk and a professional handwriting expert will not take the risk of a positive identification based on unclear document.

Hence Section 65B certificate alone though makes the document admissible for trial does not guarantee the “Genuineness” to be taken as established.

The Supreme Court in the Basheer judgement was very clear in making a distinction between “Admissibility” and “Genuineness” and it comes in handy to protect the honest person in the above case whose signature is forged as alleged.

Hence Section 65B does not in any way create an adverse impact in the situation.

Naavi

I have earlier discussed in these columns matters related to my following RTI application in which I had queried both the RBI and the Ministry of Finance that Trans Union International Inc, an US based Company increased its share holding in Credit Information Bureau (India) Limited or CIBIL, from 10% in around 2009 to 92.1 % in 2017. In the process it acquired shares earlier held by public sector banks.

This foreign private company is now holding sensitive critical information about Indian borrowers. We donot know if this company is holding its data in India or abroad and violating the “Data Localization Norms”.

The Company CIBIL came into existence as a result of the recommendations of the N H Siddiqui committee way back in 1999. This working group submitted its report in October 1999. It had recommended interalia that

 (a) a Credit Information Bureau be set up under the Companies Act, 1956 with equity participation from commercial banks, FIs and NBFCs registered with Reserve Bank of India;

(b) a foreign technology partner be included as a collaborator in setting up of a Bureau;

(c) an appropriate legal framework be put in place to provide adequate protection to the Bureau as also the credit institutions sharing information with the Bureau;

(d) pending enactment of a master legislation/legal amendments, a beginning could be made for setting up a Bureau which can operate initially by pooling information on suit-filed accounts as also transactions on which the borrower has given consent, for sharing amongst the user group.

In the Monetary and Credit Policy for the year 2000-2001, the Governor, Reserve Bank of India, announced the setting up of Credit Information Bureau in India.

Credit Information Bureau (India) Ltd., (CIBIL) was set up by State Bank of India in association with HDFC in January 2001, with an authorised capital of Rs.50 crore and a paid up capital of Rs.25 crore, with equity participation of 40 per cent each and two foreign technology partners viz., M/s. Dun & Bradstreet Information Services (India) Pvt. Ltd., and Trans Union International Inc., U.S.A. sharing the remaining 20 per cent equity stake.

With a view to strengthening the legal mechanism and facilitating the Bureau to collect, process and share credit information on the borrowers of banks and financial institutions, a draft legislation covering, inter alia, responsibilities of the Bureau, rights and obligations of the member credit institutions and safeguarding privacy rights, was prepared by Reserve Bank of India and submitted for Government’s approval in May 2001.

A Copy of this report is available here

This report examined the legal issues and recommended  that under the (then) existing legal framework, CIBIL or any other CIB may collect, process and disseminate credit information relating to;

1. 1. suit-filed accounts regardless of amount claimed in the suit or amount of credit granted by a banking company or a credit institution; and
   2. such transactions where the constituent has given consent for disclosure for such purpose.

A Code of conduct was also prescribed for CIBIL pending a detailed legislation.

The entire discussion at this stage was under the presumption that CIBIL was an institution owned 80% by SBI and HDFC and had accommodated foreign companies only for their technical expertise. This must be considered the “Constitutional Basis” for CIBIL.

Subsequently, in 2005 the Credit Information Companies (Regulation) Act (CICRA) was enacted and apart from CIBIL , three other Creidt Information Companies (CICs) were also set up.

Subsequently in January 2014, the Aditya Puri Committee of RBI gave its report to recommend data format for furnishing of credit information to credit information companies.

Copy of this report is available here

According to the Act, a Credit Information Company was one which had been granted a certificate of registration by RBI. The condition of registration was to be set by RBI taking into account the public interest.

It is interesting to note that the Act itself prescribed Information Privacy Principles under Chapter VI which required “Consent” as well as maintenance of “Accuracy” and “Security” of Credit information.

It said

“A credit information company or credit institution or specified user, as the case may be, in possession or control of credit information, shall take such steps (including security safeguards) as may be prescribed, to ensure that the data relating to the credit information maintained by them is accurate, complete, duly protected against any loss or unauthorised access or use or unauthorised disclosure thereof.”

It also said

“Every credit information company, credit institution and specified user, shall adopt the following privacy principles in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information, namely:—

(a) the principles—

(i) which may be followed by every credit institution for collection of information from its borrowers and clients and by every credit information company, for collection of information from its member credit institutions or credit information companies, for processing, recording, protecting the data relating to credit information furnished by, or obtained from, their member credit institutions or credit information companies, as the case may be, and sharing of such data with specified users;
(ii) which may be adopted by every specified user for processing, recording, preserving and protecting the data relating to credit information furnished, or received, as the case may be, by it;
(iii) which may be adopted by every credit information company for allowing access to records containing credit information of borrowers and clients and alteration of such records in case of need to do so;

(b) the purpose for which the credit information may be used, restriction on such use and disclosure thereof;
(c) the extent of obligation to check accuracy of credit information before furnishing of such information to credit information companies or credit institutions or specified users, as the case may be;
(d) preservation of credit information maintained by every credit information company, credit institution, and specified user as the case may be (including the period for which such information may be maintained, manner of deletion of such information and maintenance of records of credit information);
(e) networking of credit information companies, credit institutions and specified users through electronic mode;
(f) any other principles and procedures relating to credit information

Since the Act envisaged that a CIC was a company under the Indian Companies Act, other requirements of share holding of such a company and FDI should come under the general norms of allowing Foreign Direct Investments.

It was in 2016 when TransUnion was allowed to take over 82% of the stake in CIBIL to become Trans Union CIBIL. At this time, the Modi Government was in place and Mr Arun Jaitely was the Finance Minister. It is therefore under this regime that CIBIL’s ownership transformed and all the Public Sector and other Banks transferred their shares to Trans Union. During this time Mr Raghuram Rajan ( A nominee of Mr P Chidambaram) was still the RBI Governor and Mr Urjit Patel took over in September 2016.

Each of these Banks are corporate entities and hence there must have been a debate on the pricing of the shares and why the shares should be or should not be sold in their respective organizations and Boards.

It is possible that the Finance Ministry must have given a direction by way of a circular or an informal instruction to the Chairmen that they should sell their shares in CIBIL to TransUnion at a given price.

RBI being the custodian of these Banks and also the licensing authority under CICRA must have been consulted if the license given to CIBIL in its earlier ownership model is extendable to the new ownership or it has any objections.

In the CICRA regulations issued by RBI, RBI made the rules for implementing the Act. The rules expanded the user base of the information to stock brokers and Mobile companies which must be considered as “Ultravires the Act”.

The regulations failed to recognize the possibility that critical data of Indian citizens could land in foreign hands if the ownership of the Company is not restricted to Indians. (It may be noted that the ITA 2000 rules on Certifying Authorities restricts the foreign ownership and hence this neeed was within the radar of the Government regulators).

The privacy principles included in this regulation is worth taking a look and being compared with the current standards of Privacy under the proposed PDPA.

There are also security guidelines to safeguard the information in the form of a separate notification.

In framing these rules,  RBI appears to have ignored the need to take a stand on the nationality of the ownership of such companies and the need to protect the value of the information from falling into the hands of foreign hands.

Further it appears that the licensing does not have a fixed term and need to review it periodically though the power to cancel the license is available.

Now RBI has issued Data Localization mandate to Banks which should also in principle should apply to CIBIL. Hence the transfer of ownership from Indian Banks to a foreign technology company is sufficient ground to cancel the license issued to CIBIL.

RBI should take suo moto action in this regard failing which I request some of my friends to take up a PIL in Supreme Court to direct the RBI to cancel the license to CIBIL unless it tranfers its share holding to Indian Banks as it was existing before 2016 or more ideally the entire share holding.

In a recent RTI application made in this regard to know how RBI allowed this “Laundering of Sensitive Personal Data of Indian Individuals” from the hands of Indian Banks to foreign hands, RBI has replied that it does not possess this information. Given the fact that the TransUnion acquisition of shares was from other Banks, it is difficult to accept the contention that RBI does not have the information. Obviously, RBI refuses to get into a controversy as it may expose an unsustainable decision of its former Governor and perhaps also expose some irregularities of the Ministry of Finance.

RBI has however hinted that the information on how the FDI was permitted could be obtained from the Foreign Investment Promotion Board (FIPB) which is the organization which has landed Mr P Chidambaram in jail today and CBI is investigating some of the cases related to the approvals.

I request CBI to also consider this FIPB clearance given to various Banks to sell their shares in CIBIL to TransUnion as part of its current investigation.

In the meantime, I am still awaiting response from the Ministry of Finance under the RTI to understand how FIPB gave this clearance. Shareholders of each of the Banks which held the shares of CIBIL and sold it off to TransUnion should also question their respective Boards to disclose why that decision was taken.

If properly investigated, this could unearth a scam of its own. I request public spirited advocates to take up a PIL in this regard in Delhi preferably at the Supreme Court and bring the details of the take over deal to the public domain.

This is important for the protection of Privacy of Indian Bank customers. I personally have no objection for Indian Banks to exchange credit data because it is in the interest of our Banking industry but there is no reason why a US based technology company should own the critical financial transaction data of Indian citizens.

Naavi

Earlier Articles

Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?

Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?

There is a debate presently going on in the Supreme Court of India about the responsibilities of the Social Media Companies such as FaceBook and Twitter in preventing “Fake Accounts” and “Fake News”.

It is beyond question that Fake news is a menace which should be stopped. It is actually in the interest of these service providers such as Facebook, Twitter and WhatsApp that they introduce a system that prevents fake news as a means of preserving the trustworthiness of their platform.

We know that due to Phishing, any e-mail or a phone call from a Bank is not trusted by the customer. Even if the call is genuinely from a Bank, today we will consider it as a fraudulent call. This situation should not come to social media also.

Some of the Social Media companies are resisting the request of the Government to take steps to prevent fake news by complaining that any attempt to identify the originating source of a message is an infringement of the privacy rights of the person accused of sending such messages.

In the past Courts have provided an excessive credibility to the Social Media by

a) Considering the forwarding of messages as an endorsement of the content

b) Clicking “Like” button or Re-Tweeting as an endorsement of the content

c) The Double Tick in Whats App as a delivery confirmation of a message and Double blue tick as an acknowledgement of receipt (Even when there is no Section 65B Certificate)

This excessive reliance by the Judiciary is itself the reason for  increasing the possibility of the socialmedia being used for planting fake stories .

Fake Message Prevention needs technical measures both at the time of creation of the account and also when an objectionable message is sent.

The Social Media should therefore be mandated to observe some general security practives such as the following:

1. At the time of opening of a social media account, the details of registrant along with the meta data such as the IP address, Device ID (eg: IMEI number, Bios ID) must be captured by the service provider and preserved until at least 3 years after the account is closed. In case of any legal dispute arising on the account, the information should be considered as “Evidence” and archived permanently.
2. At the time a message is sent which is suspected to be “False” if the law enforcement demands the origin of the message, then the social media manager needs to produce the information such as the Mobile Number or IP address, the registered address of the account holder etc.
3. Quite often the Social Media companies hold out an excuse that content is encrypted end-to end  and any request of the law enforcement requires “Decryption” which technically may be not feasible.It is difficult to believe this contention since law enforcement requests are only for the information about the originator of the message and not the message per-se. It is only after a person who has a copy of the message filing a complaint that the investigation is taken up. At this time, the content is already known and there is no need for WhatsApp to provide the content.The previous messaging device ID is not part of the encryption but is only part of the meta data. Hence there is no reason to accept the contention of these companies that they are not in a position to provide the details as asked.
4. The request for decryption may come only when there is a demand under Sec 69 of the ITA 2000 which can be invoked under very limited cases and only when national interest is involved. There are sufficient checks and balances in law to prevent misuse.If some law enforcement personnel misuse the provisions and intercept without authority, the Act considers such interception as “Unauthorized Access” under Section 66 of ITA 2000.  Hence there is no reason why these companies should be allowed to avoid cooperating with the law enforcement making a request using the due process. The data localization requirement under PDPA has actually originated because the Google and FaceBook donot cooperate with the law enforcement and provide the information required by the police. Supreme Court should not allow these companies to bully their way through and avoid responding to the genuine law enforcement requests.

Linking of Aadhaar

If prevention of creation of Fake Accounts is a necessity, then the means of ensuring this could be insisting on the “KYC” of the customer at the time of opening of social media accounts.

Face Book, Google as well as WhatsApp want to use their members to transfer money through the accounts to “Friends” and “Contacts”.

If therefore the identity of account holders is not verified properly these accounts become conduits of unaccounted transactions. 

FaceBook in particular is dangerous because they are promoting their own Crypto Currency (Libra) and will be a direct threat to the economy providing a conduit for black money legitimization.

If therefore the Government wants a good KYC using Aadhaar or PAN Card , Digital Signature Certificate etc., as the basis, it is a fair request.

Since the Supreme Court has not been in favour of private sector using the “Aadhaar” for KYC purpose, these agencies can make use of “Virtual ID” or “Offline Verification methods”.

Presently, Twitter has a “Blue Tick” facility to mark accounts which have been “Verified”. Similar verification can be introduced for other social media accounts also.

Even if  Verification  is not made mandatory if a provision is available,  a majority of Indians would opt to have the “Verification Tick” as a prestigious tag.

At the same time, those who opt out may be given a “Red Cross tick” to show they are “Unverified”.

In due course, the  “Identified” account holders will be in majority and push the “Fake Account holders” to the category of “Untrustworthy accounts”. In a way this will automatically segregate the “Blue Ticked Verified Account holders” from the “Red crossticked unverified account holders”.  This will reduce the incidene of fake news substantially without any further effort.

Since “Consent” could be a basis for many other “Sharing of Sensitive Information” as per PDPA, there is no reason why we should not allow account holders voluntarily submitting their Virtual Aadhaar IDs to get their ID verified at the time of opening of their Social Media accounts.

When the Supreme Court hears the petitions in this regard, it should therefore take into account the above suggestions and help in improving the credibility of the Social media.

Naavi

Cyber Law College, a division of Ujvala Consultants Pvt Ltd has introduced a new version of a Course on PDPA (Personal Data Protection Act).

This version would include additional modules on Data Governance Framework as well as a discussion on the Data Protection Challenges in the New Technology areas such as Artificial Intelligence, Big Data etc.