Naavi.org

[Discussion continued from previous articles]

“Status Quo” is most comfortable for some of the tech companies as regards Intermediary guidelines is what comes out of the 609 page collection of public comments.

There are a total of 141  comments which are listed in the list given below.

Index of Suggestions received as Public Comments

(Please note that the .Page numbers are from a down loaded document. One the website there will be a difference of page numbers by one page since numbering starts from the second page. Also, since in some cases the identity of the persons was not visible, they have been left blank  If any body can claim the particular comment, they can keep Naavi informed so that this index can be updated.)

Who all have provided comments

It may be noted that there are a number of foreign companies, NGOs and even individuals who have provided their comments.

As could be expected, several NGOs who are active in promoting human rights on the Internet have provided their views.

Since Naavi’s views were already contained in FDPPI’s views, no separate submission was made by either Naavi individually or from Cyber Law College or Naavi.org.

What is surprising is that most of the Premier Law Colleges including the NLSUI, NALSAR etc have not contributed their thoughts. IIIT Bangalore is however one of the academic institutions that has submitted its views.

FINTECH industry as well as the E Commerce, industry  are conspicuous by its absence in the list of contributors.

There is some thoughts contributed from the health care sector particularly regarding the part referring to smoking, alcohol and Narcotics promotion on Internet.

Bombay Chamber of Commerce and Industry,  FICCI, AMCHAM and CII are industry associations which have contributed their thoughts. US India Business Council has also provided its views.

Election Commission of India  is the Government body which has submitted its views.

Number of law firms which have submitted their views are few. Banana IP, IRA Law, Samvad partners are a few who can be identified. There are a few individual lawyers who have submitted their views. Most of the persons who promote themselves as “Cyber Lawyers” have not taken the trouble of providing their considered views. The habitual PIL lawyers who raise the Constitutional rights at the drop of a hat have also failed to record their views at this stage.

Rajeev Chandrashekar as an MP has submitted his views while comments have also been made from the Congress Party in the name of “All India Professional Congress”.

IBM, Wipro, JIo, XIAOMI, AWS, Mozilla, are the noticeable names from the tech industry.

ISPs and MSPs are represented through their associations. Few Policy research organizations have provided their views.

NASSCOM’s views are provided through DSCI.

Overall, it is heartening to note that so many people have taken the interest in submitting their views, though several more should have also contributed.  At least this indicates the wide interest being shown on Indian law making process across the world.

Negative Comments predominant

It is unfortunate to note that majority of comments are “Negative” comments and include those which keep saying, more consultation is required etc. These indicate that people are happy with policy paralysis and no action being taken rather than some action.

Many of the suggestions made also indicate lack of understanding of the context in which this notification has to be placed as an administrative notification under the statute which became effective in 2009 itself.

Shreya Singhal Judgement which was a faulty judgement with a wrong interpretation of “Messaging” as “Publication” and Puttaswamy Judgement which was related to “Information Privacy” without defining what is “Privacy” have been extensively quoted by many.

Further Comments to Follow

It is easy to say “Don’t Do this or that”. But it is difficult to say “What should be done”.  We therefore  need to ignore most of the negative comments and focus on a few which contain some suggestions. It is only from those comments that the Government would be able to bring some changes that would try to tackle the issue of “Fake News” and “Frauds through Intermediaries”.

We shall try to focus on such positive comments in our subsequent articles though it may be necessary to comment on a few others in the passing.

Naavi

A draft of a modified  Intermediary guidelines under Section 79 of ITA 2000/8 was released  on 24th December 2018, modifying the earlier guideline of 11th April 2011. Public comments were called for on the draft until 31st January 2019. Now the consolidation of comments running to 609 pages has been released by Meity. Counter comments can be sent on these comments until 14th February 2019 after which Government may proceed to finalize the draft.

The copy of the consolidated report is available here.

Naavi’s views has been provided under the banner of FDPPI which is available at pages 21-28.

It is heartening to note so many responses being filed and with a detailed analysis. The response seems to vindicate my earlier view that what we are seeing is the second awakening in the industry about the presence of a law called Information Technology Act 2000 and its implications on the functioning of the industry. The law came into being on 17th October 2000 but most people in the industry ignored. It was only in 2011 when Section 43A rules were published, that the industry woke up to the existence of the law.

Now the Management localization and the automated tools suggested in the rules have been noticed by the industry and there is some effort to record their views.

Several advocates have placed their views invoking “Constitutional Issues” repeatedly and quoting the Puttaswamy judgement.

We will try to highlight some of the salient suggestions that have been made in the comments in due course.

To start with we draw the attention of the industry professionals to the specific suggestions made in the FDPPI comments particularly the idea of developing an “Intermediary Dispute Resolution Policy” and implementing it through accredited dispute resolution agencies on the lines of the ICANN control on domain names.

The advantages of such a system will be discussed in subsequent articles.

Naavi

I was glad to see a report that a person  was sentenced to 10 year imprisonment for SIM Swapping fraud. It was unfortunate that he was a young 20 year old college student. The fraud involved crypto currencies which I classify as “Currency of the Criminals”.

The incident was however not in India but in California as this report indicates. According to the report he is the first hacker sentenced for SIM swapping fraud.

These kind of frauds happen regularly in India and our laws are not so stringent to impose any deterrent punishments to these criminals. 

I am happy that such stringent punishments are meted out to such criminals. This should not be misunderstood that I am harsh on a young boy who is being punished but actually, I am sympathetic and compassionate to the many of the victims whom this person affected out of his greed.

Indian Courts need to take note of this Criminal Jurisprudence and ensure that in India when such cases are found, the culprits donot get immediate bail and are punished properly.

Naavi

Indian Banking has taken shape from the UK Banking laws. One of the principles that Banking has followed for a long time is trying to be secretive about the fraud losses at least in the individual balance sheets of Banks for the fear of adversely affecting consumer confidence.

It however appears that the winds of change are blowing across UK which needs to be also emulated by India. I recently came across a website of ukfinance.org.uk  where comprehensive fraud statistics for the Banking and payment card industry has been provided. This would be very useful for the Cyber Insurance industry to develop its products and also for the industry and law enforcement to understand the risks and take mitigation step.

In India, RBI has been very reluctant to provide such details and even on RTI applications are taking the stand that they donot segregate fraud data in such detail.

May be it is time that RBI changes its stand and start publishing such data regularly.

Naavi

Cyber Society of India (CySi) celebrated the Data Privacy Day in Chennai in a colorful event on 28th January 2019.

The event organized under the leadership of  the president Mr S. Balu, reportedly attracted good attention of the industry professionals since it was one of the first such programs to be held in Chennai.

Discussions on Global Trends in Privacy, Impact of GDPR and related issues were discussed during the deliberations.

An interesting caricature on the Right to Privacy shown above attracted the attention.

The caricature (drawn by Mrs Saranya Devi) has captured  the relationship of Privacy Protection in the context of a Citizen of a Physical Society and a Netizen who lives in the Cyber Society and underscored the fact that Privacy of  Netizen is only “Information Privacy” guaranteed by the due diligence of the Netizen and the Intermediary.

While discussing Data Protection laws, we often forget that we are trying to protect a right in one society by a law in another society and this is the root cause of many conflicts. It is like our Parliament passing a law in India for regulating activities in another independent country like Saudi Arabia or Pakistan. Conflicts are bound to arise in the absence of a “Treaty” between the two societies.

Since Privacy is a “State of Mind” of an individual and reflects the perception of a subject such as “I am free”, “I am alone”, “No body is around me” etc., it cannot really be guaranteed by force through a law. Despite this, the entire Data Protection regulatory regime is built on the premise that Privacy of a Citizen can be guaranteed through a regulation of “Information Privacy” which boils down to giving some control to an individual to decide how his “Personal Information” may be collected and used by others.

Naavi has used the Johari Window concept for describing the scope of Data Protection legislation which is reproduced below.

What this “Personal Information Grid” represents is that for every person there are sets of data which he knows and which he himself does not know. Some of this information may be known to others and not known to others. Some information known to the individual but he does not want others to know is the domain of “information privacy”.

The Data Protection law covers how the information may be shared by the individual to others through consent  and who are the agencies who are authorized to collect the data even without such a consent. When unauthorized access of such data occurs, the Cyber Crime laws kick in along with the data protection laws that may provide its own penalties for contravention of the “Data Subject’s Rights” of privacy as defined there in.

The intermediaries who collect the data are being regulated both by the Cyber Crime laws such as (Section 79 of ITA 2000) as also the data protection obligations in the laws such as PDPA 2018 (proposed).

Naavi

[P.S.:Naavi  is the Founder Secretary of CySi]

The Indian Budget proposal presented yesterday had an interesting sidelight. While discussing the proposal on the TV, Mr Piysuh Goyal, the interim Finance Minister  said that the Government is taking steps to ensure that in order to reduce harassment of IT payers if any from the department, the Government would be adopting a new system of assessment of returns.

The minister said

“Within the next two years, almost all verification and assessment of returns selected for scrutiny will be done electronically through anonymized back office, manned by tax experts and officials, without any personal interface between taxpayers and tax officers. “

It appears that the IT department has given a commitment to the tax payers that the principle of “Pseudonymization” as we use in the Data Protection scenario would be applied in the IT assessment arena as well.

In simple terms, the assessment officer would receive the returns in a pseudonymized(de-identified) set of data and make his assessment without knowing who the assessee is. It is however understood that in case the Assessment officer finds reasons to go deeper into assessment, he would recommend the return for a more detailed assessment where there may be a need to know the assessee.

However, this second level assessment will be required only for specific reasons which can be recorded in writing and reviewed if required.

IT department is the most hated of the Government departments when it comes to “Privacy” protection and “Limitation of Surveillance Rights”. It is ironic that it has become the first Government department to have indicated its commitment to the use of Privacy Protection principles in the administrative context. We need to appreciate its innovative use of the thought of de-identification.

We may recall that the Indian IT department was the first to adopt the technology innovation of “Digital Signature”, first to properly bring to the notice of the public, phishing mails in the name of the department. Now being the first Indian Government department to use “pseudonymization” marks another feather in its cap.

This development should also be taken note of by the Supreme Court which is set to hear an objection on the recent notification of the Ministry of Home Affairs about  designating 10 agencies for surveillance under Section 69 of ITA 2000. IT department (CBDT) is one of the designated agencies where there will be a nodal officer and whenever the competent authority under Section 69 of ITA 2000 (viz Home Secretary) has a requirement for interception of any information under the control of the department, the competent authority can invoke its powers.

The Supreme Court is being mislead by some of the petitioners that the MHA order of December 20, 2018 gives roving powers to the IT department to indulge in surveillance. This is a malicious interpretation as the MHA order only restricted the use of powers under Section 69 to only 10 designated agencies and no body else and the IT department was one among them.

Now with the IT department exhibiting its awareness about Privacy Protection and the main tool of such protection in the form of Pseudonymization as well as demonstrated how it can be used innovatively in its administration, the Supreme Court should accept that there is enough awareness in the department to trust it with the responsibility which may be entrusted to them under section 69 of ITA 2000 by the competent authority.

Naavi