The GDPR dilemma… Am I a Data Controller? or a Data Processor?

Posted on May 8, 2018 by Vijayashankar Na

The European Union data protection regulation namely the EU GDPR  which has attracted global attention due to the twin provisions of “Applicable to a controller or processor not established in the union” (ed: in some circumstances) and the obnoxiously huge administrative fine set at 4% of global turnover of an undertaking, has naturally caused a stir even in India where many IT companies are facing the demand from their international business partners to be “GDPR Compliant”. The regulations will kick in from 25th May 2018 and there is a mad rush to understand and implement the compliance measures as otherwise, business organizations need to suspend acceptance of any GDPR Sensitive personal data until they are ready.

Everyone is a Data Processor

In the process of application of GDPR regulations, one dilemma which organizations both in India and abroad face is to determine if they are “Data Controllers” or “Data Processors” under GDPR?

The regulation places the main responsibility for compliance with the Data Controller and though Data Processors may also be liable under the regulation, they are under the contractual operational control of the Data Controller. Their main responsibility is to abide by the instructions of the Data Controller in terms of “Privacy by Design”, incorporating the necessary organizational and technical controls for compliance.

In any practical situation, data processing is not as simple as GDPR presumes while drafting these regulations. It is not as if there is a data subject who gives his personal data to a Company and the company keeps it with itself, processes it and uses it, and takes responsibility for its security during its life cycle until it is destroyed. In such a scenario, the use of a “Informed consent” before collecting the data and adherence to its terms is feasible as envisaged under the GDPR.

However the personal data processing that happens in the industry which includes the IoT, the Social Media, Big Data Analytics etc is not as simple as the above scenario where there is only one business entity which has a direct relationship with the data subject and therefore can assume the personal data responsibilities envisaged under GDPR.

As a rule, Data is collected by a “Data Collector”, “Processed by one or more data processing companies some of whom are spread across different countries” and processed data is “Consumed” by a “Data Consumer”.

“Personal Data” itself is not a single electronic file such as abc.doc. It consists of multiple data elements such as name, age, social security number, email address, IP address, phone number, etc., and is one element in a data base row and column. Within this data element it is a sequence of bits of zero and one and if we want we can split the data element to byte level or even bit level.

The presence of multiple handlers of personal data, their geographical spread and the nature of data as an aggregation of data elements in a data base introduce certain complications which creates conflicts when a company is genuinely trying to be compliant with the “Spirit of GDPR” which is to “Protect the fundamental right of the EU citizen for protection of his Privacy Rights”.

GDPR has failed to provide the necessary clarity and caused a huge confusion in the market.

GDPR has defined a “Data Controller” under Article 4(7) as follows:

controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

On the other hand,

a ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and 

 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Processor” under Article 28 is the person who carries on “Processing” on behalf of a controller, providing sufficient guarantees to implement technical and organizational measures in such a manner that processing will meet the requirements of GDPR.

Since “Processing” by definition includes every IT operation that can be done on data, every person who deals with the data is a “Processor”. The Data Collector as well as the Data Consumer is also a “Data Processor”.

Under the circumstances, it is difficult to find out who is the “Data Controller” who is the principle entity which is responsible for determining how the personal data has to be processed? and obtains assurances from another “Processor”.?

If there is an “Intermediary” who only transmits the data in a network, there is clarity that he would be neither the Data Controller or the Data Processor provided he does not chose the data subject from whom the data is collected or how it is collected. Any other entity which deals with the data could be considered as “Processors”. Hence there will be many processors of data in the data processing chain within the life cycle of a data set which qualifies to be called “Personal Data of XYZ”.

This personal data takes birth at the time of its collection by the data collector and survives through processing and consumption until it is no longer required and is deleted from all the systems where it left traces during its life cycle. Such life cycle may extend from a few days to several years until the data is useful.

For example, if a health data manager (say an insurer) has collected the health of a just born baby, such data is relevant at least until the baby leaves the world as an old person after 90-100 years. (Under GDPR the data ceases to be sensitive after death while HIPAA may carry it forward for another 50 years).

Through out this 100 years of data processing, GDPR expects that the data subject should have control on the data. When collected, the Data Controller should tell him who will all be processing the data, (apart from why and how etc). If there is any change in the processing then the Data controller has to go back to the data subject and obtain a re-permission to change the data processor stating why such a change is required, who will be the new processor etc.

Contractually similar obligations will have to be carried through by the Processors with their sub-contractors.

If any of the processors or sub contractors are using manpower who are not employees but are under individual work contracts, each one of those work contractors would be a sub contractor and if there is any addition (or deletion) of a single work contract entity, then the information has to be carried through back to the data subject for his “Explicit Consent”.

Well, let us assume that EU considers all this is an obligation that the industry has to undertake because the individual’s right to Privacy is supreme.

So Who amongst the Data Processors is the Data Controller?

Our immediate problem is to have a clarity on which of the data processors amongst the many involved in a given context is to be considered as a “Data Controller”?

If we go by the definition, the person who determines the purposes and means of the processing of personal data is the controller.

In a commercial world,  “Consumer is the King” and he determines what product or service he wants to buy. If he is a “Data Consumer”, then will it be the “Data Consumer” who will be the Controller?

Though “Consumer is the King”, his rights are limited to the choices made available by a manufacturer and facilitated by a distributor or a retailer.

Then, is the “Consumer the real king”?.. Is it not the Manufacturer?… Is it not the powerful sole distributor in a region?… Is it not the powerful retailer who is offering tempting discounts?… who is really the person who determines which product needs to be supplied to the market?… are questions that we need to ask ourselves.

Beyond all these supply chain managers, what is the role of an “Advertiser” and the “Publishing Media” in determining which product is good for the consumer and which he should consume?…. Is he not the real “Controller” who determines which product is consumed by whom and why?…

If there is a similar situation where Data is being consumed by one entity but is produced by another entity, distributed and retailed by other entities, and there are Data Science experts who determine which data is reliable, which is to be consumed etc., then in this complex scenario, who is the “Data Controller”?

This is the dilemma which is now confronting the data industry.

IPR Compromised

Since GDPR expects the Data Controller to determine the processing details, whoever assumes that he is the Data Controller is demanding that all other processors share with him the identity of his sub processors, the details of processing strategies adopted, right to audit etc.

In the process the IPR of the down stream processors is seriously compromised.

If a processor shares the identity of all his sub processor to his upstream Controller, why should the Controller not short change the processor and go directly to the sub processor?. In fact he will definitely do so at the earliest opportunity.

As a result, the business of intermediary processors is seriously threatened  unless they are able to justify their existence with a value addition commensurate with the price they charge. May be this may reduce the end consumer price of a commodity or degrade the quality.

I am sure that this consumer protection was not the objective of GDPR and hence it is only an undesirable off shoot of the empowerment that GDPR had to give to the “Data Controller” so that he will be in complete charge of the down stream processing.

Why the Data Consumer should not be the Data Controller

The Data consumer is a business entity which is concerned about its business for which data is a raw material. We cannot expect the Data Consumer to be able to protect the “Fundamental Democratic Right of the Citizen”. He has direct relationship with the consumer of his product and not the data subject.

Can we expect a Car dealer to worry about the person who is supplying some component to the manufacturer and take care of his interest?.

Similarly, there is a distance between the data consumer and the data collector which makes it impossible to place the responsibility for data subject’s rights protection with the data consumer. For example, if the data subject wants to revoke his permission and withdraw the consent, will the data consumer be interested in dismantling the product he has built up and return the data? He will some how justify his legitimate interest and say that the data subject’s right to deletion or rectification cannot be protected.

Hence it is in principle in-correct to make the data consumer responsible as a Data Controller under GDPR. It is also inconceivable that the copy of the consent provided by the data subject is shared by all processors and the Data Consumer and that every body refers to it and abides by it.

Data Collector should be the Data Controller

The immediate relationship of the data subject is with the Data Collector. It is the Data Collector who provides the consent request and based on the trust that the data subject places on the data collector (or any benefit he receives in return) that the data subject  provides his consent.

Hence if there is any future requirement of rectification, portability, access, or erasure, the data subject can contact the consent collector who is also the data collector and no body else.

Hence the Privacy Right protection of an individual data subject can only be handled by the data collector.

Hence the Data Collector should be the person who should be recognized as the “Data Controller”.

The Data buyers like the Data consumers place their request for data with a category specification and donot say which data subject’s data they require to be collected. It is the Data collector who based on the demand for a particular type of data goes to the market collects data of different data subjects, sifts it to the requirements of different consumers, puts it in different buckets like in the case of a “Whole sale market” and the data consumer picks up the bucket he wants.

In this kind of a scenario the data consumer is not the “Data Controller” and it is the “Data Collector” who is the controller.

Except in the case where a Data Consumer appoints a contractual data collector to collect specified individual data subject’s data, in all other cases, it is  fair to consider that the data collector is the data controller.

This approach will be practically feasible for implementation. Accordingly, where there are multiple processors involved, the Data Consumer may specify the type of data he is looking for and leave it to the next person in the data chain to determine where he will hunt for the data.

As long as the sub processors retain the data subject’s requirement definition to generic description of the type of the data subject who needs to be targetted and donot specify the exact living natural person whose data is to be collected, they will remain to be only processors and not controllers.

The final processor who is also the data collector who goes to the living natural person from whom he collects the personal data is the only person who should be considered as the “Data Controller”. He identifies himself to the data subject and the data subject identifies himself to this data collector and they exchange the Privacy Notice and acceptance so that a contractual relationship gets established.

Any other inference would create insurmountable difficulties in implementing the GDPR provisions in toto. It will also lead to wrongful data disclosures where the data processors release data subject’s information not being able to properly identify the data subject  thinking that it is a genuine request.

Though GDPR provides for “Joint Controllers” and therefore every processor can be defined as a “Controller”, such approach may create a chaotic situation when a crisis of a data breach occurs where every one will be blaming every one else and every processor across the globe has to set up representative offices in EU etc.

I wish the above view is acceptable to the community. Please feel free to give me your feedback through a comment here in or through email

Naavi

Posted in Cyber Law | Tagged , , | 2 Comments

Who is Bhusan of Kolkata Police? Why does he make Abusive calls?

Posted on May 6, 2018 by Vijayashankar Na

Yesterday, a senior citizen of Bengaluru received an abusive call from a mobile number 9051660028 stating that he is from Kolkata Police and made some unfound allegations against the called person and threatened him with dire consequences.

The True caller ID of the person shows his name as Bhusan and indicates that he belongs to the Police in Kolkata.

It is obvious that any ordinary person would be unnerved by an abusive call claiming to be from the Police and more so if he is innocent and is a senior citizen. It causes a mental disturbance and harassment for which Indian law makers created a section called Section 66A in ITA 2008 which the Supreme Court decided to scrap because of its inability to understand the objective of the section. However such harassment using the telephone is still an offence under IPC and the caller from the mobile 9051660028, who ever he is, is guilty of this offence.

I suppose Kolkata Police will trace this number and the calls made out of this number, details of which have already been sent to the Commissioner of Kolkata through e-mail and prevent such abuse of police power.

There is a possibility that the call might have been made by a person impersonating himself in the name of a genuine police person and True Caller could have provided a wrong identity. I request True Caller and Vodafone to clarify the identity of the caller and clear the name of Kolkata Police if such an impersonation has taken place.

We have many instances in recent days that either genuine Police officers or those impersonating themselves as one such have indulged in criminal activities including extortion, kidnapping etc. Hence it cannot be ruled out that this is an incident of a criminal trying to extort money by threatening a person with a false accusation etc. We have not forgotten the age old case of the Mumbai Fraud by a General Manager of  Gujarat Ambuja Cements who had used the name of Kolkata Police to extract around Rs 2 crores from an NRI threatening him that some body who was his social media contact had committed suicide and Kolkata Police has registered a case against him etc…

I therefore look forward to the Commissioner of Kolkata taking this issue seriously and conducting a thorough investigation. In the meantime, any member of the public can also respond if there exists any Bhusan in the number 9051660028 and whether he is a police officer from Kolkata and if so does he have a record of making such abusive calls.

I demand that Vodafone in particular confirm to me on my personal e-mail available on this website whether the name of the owner of the SIM 9051660028 is Bhusan. If not who is the real owner of the number and whether any calls were made from this number to a Bangalore number at 20.28 and 22.48 besides missed calls in between. On request from Vodafone, I will provide the detail of the called number if required.

I want the public to be vigilant about such calls and report it to higher officials in the Police along with the recording if possible so that honest Police officers can stand up and control such rogue elements within the force or those who are misusing the name of police.

Naavi

Posted in Cyber Law | 2 Comments

Is Business Contact Data, Personal Data under GDPR?

Posted on May 5, 2018 by Vijayashankar Na

One of the questions that is bugging Companies engaged in some kind of marketing to corporate executives is whether a “Work E-Mail”or “Work Phone number” , which is the “Business Contact Information” (BCI) qualifies itself as “Personal Information” (PI) under GDPR.

If BCI is PI then companies need to scrap any such information they might have collected in the past from their marketing efforts (This applies only to EU data subjects and not Indian data subjects) since the information has been collected earlier without a new “GDPR compliant Consent form”.

The GDPR consent form needs to be a explicit opt in form and also contain information on the rights of the data subject. Since these conditions were not there in the earlier consent, the marketing agencies need to stop using such data unless they are able to get a re-permission which can be obtained with a new one time request for re-permission.

There are a few who object even to sending of the re-permission request and consider it as a spam. However, if an entity earlier had a consent and now it wants to renew the consent under the new regulations, it is unlikely that any objection for such a request will stand scrutiny of any sensible Court or regulatory authority.

Though GDPR authorities may not have clarified this matter, I think it is reasonable to assume that

” If an entity has a permission to send e-mails by way of a valid consent at present and sends an email requesting re-permission including the new GDPR clauses either through a reply on the e-mail or by visiting a new web based consent form, then it may be an acceptable one-time-contact”.

In case, no reply is received, it is better to scrap the contact address and not try repeated contacts for re-permissions.

There are many consultants abroad who believe that work e-mail and work phone is undoubtedly to be considered as “Personal Information”. Some qualify the statement in respect of e-mail that if the e-mail states name@company name, it is considered personal but if it states designation@company name, it is not personal information.

I refer to two such articles that I referred to online. This reference is not to criticize the views expressed there in but only to highlight that these are the prevailing views abroad where the panic reaction to GDPR is clearly perceptible.

First is an article at beswicks.com. This is an UK based company which was in EU and is now in the transition stage after BREXIT. The author categorically states that Business E-Mail which contains the “Name” of a person is  ” Personal Data under GDPR”.

The second is an article in realbusiness.co.ukThis article states that the author checked with ICO and was told that Work E-Mail is not personal information. The author stated in the article as follows…

“So, for e.g. my work email address brian.connolly@pinnacle-online.com is that classed as personal data under the GDPR regulations? I rang the ICO (Information Commissioner’s Office) about this, and they were initially hesitant and then said it is NOT personal data, it relates to a company not a person.

The author however disagrees with the view and holds that ICO was wrong and the name@company.com should be considered as “Personal Information”.

Given such opinions floating around the web, I am not surprised that many B2B marketing companies where the business executives need to take decisions on the basis of “Erring on the Safer side” would decide that BCI may be considered as PI for compliance purpose.

Of course if we accord more stringent compliance norms to data which may not require it to be so, there is no harm. So nothing prevents a company to decide all information of such nature is to be protected by adopting GDPR principles. But the cost of such compliance goes up and share holders of such companies need to bear the extra expense.

However, we need to academically debate if this tendency to “Deciding to Crawl when only required to Bend” is warranted.

It is quite possible that the authorities who created GDPR legislation and the supervisory authorities who have to supervise them may not be correct and they may be harming business in the long run by mis-interpreting the legislation. Even if hey are not, consultants who think BCI is PI will make the  authorities to also think on the same lines. If so, we have a duty to question their interpretation and allow them to correct their mistakes.

I therefore place before the public my arguments why it is not correct to consider that Work e-Mail address is to be considered as “Personal Identity Information” that renders it as a GDPR risk data.

One of the principles which I would like to apply here, is that for any property to be called “Personal”, then the “Person” should have the right to create it, use it as he likes and destroy it as he likes. None of these qualities apply to the work e-mail address. I may be an employee of an organization and carry a work e-mail ID. But it is created by my corporate IT team. I am allowed to operate it while I am in employment but only for designated work purpose. I cannot delete it even if I want nor I can use it after my employment is terminated. In fact the contents may be accessible by my IT admin under a proper authority and for official requirement. There may even be a “Legitimate Interest” to decrypt content if required.

In effect, I am not the owner of this work e-mail ID. I only have limited rights to use it for the benefit of my employer. It is an ID of the employer for the employer and used by me for them. It is like the cabin, the table, the work computer, the work mobile, the company car, parking place and other assets that a company may give me for use as a perk.

It is interesting to note that the draft Indian law DISHA2018 which is the proposed Digital Information Security for Health Care Act  declares in the context of the legislation that “Health Information of an individual is his property”.

GDPR however does not use the concept of “Property” for the Data subject’s right on personal information.

According to Article 4(1)

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The definition of “Personal Data” is fairly wide and can be interpreted that “Any identifier” can be considered as “Personal Data” if it is related to an identifiable natural person. My true caller app may actually identify the caller and therefore any phone number is obviously a “Personal Data”. Even if the call comes from a Corporate Telephone EPBAX, my True caller identifies it with my contact for whatever intelligence it has developed.

Similarly, the E-Mail contains an embedded name and the recipient often identifies the sender’s name with the name in the e-mail ID. But quite often  a prefix to an email address may not necessarily be the name of the individual.

For example “naavi9” is the prefix to my email but my name is not naavi9. But any body who receives an e-mail from naavi9@xyz.com may consider naavi9 as an identifier and consider that the email address belongs to me. If they consider that naavi9 is only half the name and the full name is with the domain, then we are dealing with a different situation where Vijay Kumar is not Vijay Shankar and hence “Vijay” cannot be considered as an identifier in isolation without the appendage Kumar or Shankar.

Also, we need to identify that naavi9 is an assigned name and not necessarily my name. In this particular case, I as the owner of my name (Which according to my Aadhaar consists also of my father’s name and grandfather’s name) have assigned naavi9 for e-mail purpose and hence it is the choice of the data subject.

If the recipient recognizes it as my identity, he may not be wrong. But it is just an inference he draws and not necessarily a reality. But suppose I use naavi9 at the ujvala.com domain, it could be an ID assigned by the domain owner ujvala.com to may be one of his employees. In fact the recipient of an email naavi9 at ujvala.com may not even know if ujvala.com is a company or it is just name of some individual called “ujvala” who has created the domain. (Though .com indicates that it is a commercial entity). How can then we be sure that naavi9 at gmail.com is personal data but naavi9 at ujvala.com  is not personal data?

In view of the fact that in the ujvala.com domain, the right to assign the ID naavi9 may not lie with a natural person called naavi9 , but with the organization which could be Ujvala Consultants Pvt Ltd, it is improper to consider naavi9 at ujvala.com as “Personal Data/Information”.

Secondly, in the context of collection of the e-mail ID in a B2B context, the “Intention” of the user of data is to use the E-Mail ID for marketing a product or service to the Company and not to the individual. If therefore I provide a white paper download collecting the name, designation, work e-mail and work phone number under a consent form, which may also state that I will send product information to the contact, the intention is not to use the contact data for personal marketing. Hence “Intention” of the marketer itself makes this information “Non Personal”.

It is possible that I may visit a person in his office and become his personal friend or incidentally market my personal service. But such use of “Work Contact” for “Personal Marketing” should be considered as an “Exception” if it happens unintentionally.

For example, If I contact an IT head in a company to sell him a Windows Server product and he enquires and picks up a windows personal product, then it is an exceptional instance which should come under the category of “Occassional” contact under GDPR and not intentional personal marketing.

Intention of the B2B marketer who collects the work e-mail address for further contact can be validated by the consent also.

I therefore consider that Business Contact Information should not be considered as  Personal data for the purpose of GDPR and it should be handled as such.

Domain Test, Intention Test and Consent corroboration are therefore the criteria to be applied to check if BCI should be considered as PI in a given context.

As I have already stated, this is an opinion on “Why BCI is not PI” by a consultant who is academically oriented.

But for corporate managers, it is their option to err on the safer side and consider even the name of the company as “personal information” if they so desire and subject it to GDPR restrictions.

After all, a person cannot be blamed if he wants to use an Axe where your nail will do. (A proverb in Kannada-ಉಗುರಲ್ಲಿ ಹೋಗುವುದಕ್ಕೆ ಕೊಡಲಿ ತೆಗೆದು ಕೊಂಡಂತೆ ).

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Shafhi Mohammad Judgement encourages Face Book Crime… Calling the attention of the Chief Justice of India

Posted on May 1, 2018 by Vijayashankar Na

The January 30, 2018 order of the two member bench of the Supreme Court consisting of  Justices A.K.Goel and U.U.Lalit, in the case of Shafhi Mohammad Vs State of Himachal Pradesh dated 30th January 2018 (SPECIAL LEAVE PETITION (CRL.)  was discussed in these columns earlier. While commenting on the order, it was pointed out that it would unleash “Judicial Anarchy” in India as it would encourage lower Courts to pass judgements against the higher Courts by way of “Clarification” and also because this judgement having the banner of Supreme Court could put the lower courts in a state of confusion on how to address the Section 65B (IEA) certification. The final judgement of 3rd April 2018 as a final order on the SLP has indicated that the Court has not made any attempt to set right its erroneous interim order.

The Judgement was also called a “Tragedy” since it indicated the inability of the Supreme Court to understand technology and an attempt to find short cuts to some imaginary problems.

It was pointed out that the erroneous judgement would give a thrust to mischievous criminals who would fabricate evidence to harass innocent persons.

Unfortunately, the speculation that this Supreme Court judgement would spur Cyber Crimes appears to be coming true sooner than expected.

The essence of the objections raised is as follows.

  1. Under Section 65B of Indian Evidence Act,(IEA), an electronic document is admissible in a Court without the production of the original if it is properly certified as required under the section.
  2. There is some confusion in the Judiciary as well as some legal practitioners as to why certain procedures mentioned in the section are relevant and how they should be interpreted. This includes who has to issue the certificate and how the certificate has to be constructed etc. These have been explained in detail in the columns of www.naavi.org and www.ceac.in
  3. The Supreme Court itself in the celebrated case of P.K.Basheer has explained at length why Section 65B certificate is mandatory under Section 65B and it has been so since 17th October 2000 though different Courts were unable to understand the section and allowed its violation from time to time. This was a three member bench of the Supreme Court and the Shafhi Mohammad bench had no authority to amend the judgement with a “Clarification”.

During our earlier discussions on the Shafhi Mohammad judgement, we have clearly pointed out that it gives a free license to falsify evidence and it could be mis-used.

Now one such case has been reported from Bangalore and is an indication that more such cases will surface in the coming days.

Further, we predict that the Police themselves under the influence of the politicians will falsify evidence and create human rights issues in future. At that time the same Supreme Court will harp on “Freedom of Speech”, “Right of Privacy” and other fundamental rights to criticise the Police. Politicians will then direct the criticism against the Modi Government. The rebellious judges of the Supreme Court and the activist lawyers like Dushyant Dave, Kapil Sibal etc will enjoy the predicament of the Government.

The complaint I am referring to is an incident where a suspected student of an educational institution posted a message in the time line of the Dean, took a screen shot, distributed it in WhatsApp groups, deleted the time line post. After this, a police complaint has been filed either by the same person or some body at his instance that the Dean had made the objectionable posting and has since removed it.

It is clear that such insertion of objectionable posts on the time line in Facebook can be done wherever the owner of the Face Book account has enabled postings on his time line by the public or Friends.

While we advise every reader to check their Privacy Settings in their Face Book account to ensure that such postings on the time line are limited to “Me Only”, we proceed to discuss here how the Shafhi Mohammad judgement creates a problem for the innocent victims of such crimes.

According to the Shafhi Mohammad judgement, since Face Book account of the Dean is not under the control of the complainant, there is no need for him to submit the Section 65B certificate along with the print out of the screen shot allegedly containing the objectionable post. It would be admissible and the trial would begin with the Dean trying to defend that he did not either post the content or delete it subsequently.

The only person who can come to the assistance of the Dean is Face Book which must have the log records including the IP address of the person who made the objectionable post. But getting the evidence out of Facebook is impossible for an ordinary mortal unless the Police move quickly which in most cases is not possible.

(Ed: we have earlier pointed out how the Cyber Crime Police Station of Mumbai-BKC botched up a complaint by refusing to issue a simple request to Google for an IP address resolution possibly in pursuance of some illegal gratification and the higher officials of the Mumbai Police did nothing to correct the situation even when it was brought to their attention. Refer here)

If Section 65B certificate is considered mandatory, then the complainant would have to file the certificate. It could have been filed by the complainant himself in which case the Court could have the option to reject it as not credible since it is a “Self Serving evidence.”

If it is submitted  by a trusted third party, such a person would have to view the objectionable post himself and certify its existence with some additional information and also be ready to face the charge of “perjury” if it really did not exist on the time line.

Since Section 65B certificate is a matter of fact certification, the certifier  would not be able to forensically certify the genuineness of the posting but he would have given some additional material information for investigation to proceed. This would have created one hurdle for the complainant to first find a suitable accomplice to provide the certification and then to convince him that the request is genuine. Then the credibility of the certifier could have acted as an additional check against provision of the false evidence.

Unfortunately, if Shafhi Mohammad judgement is to be applied, there would be no need for a Section 65B certification and it is left to the wisdom of the Court to accept the evidence as presented and proceed with the trial.

By God’s grace, we can say that the  “Clarification” provided by the SLP order is by a two member bench and hence should be ignored. But we strongly feel that this tendency of the lower bench to pass an order over turning the larger bench view and terming it as “Clarification” needs to be corrected by the intervention of the CJI.

In the meantime, we urge the Bangalore Cyber Crime police to prove that they are not like the Cyber Crime Police of BKC, Mumbai and would ensure that Facebook would be made to provide the evidence and resolve the complaint appropriately. If during the investigation it is found that the posting was done by the complainant himself, he should be punished for hacking into the Face Book account of the Dean with a dishonest intention and take action under Section 66 of ITA 2008 along with other provisions of IPC.

In case, like the BKC Cyber Crime Police Station, Bangalore Cyber Crime PS also dithers, then innocent victims will keep cursing the Shafhi Mohammad judgement until it is corrected.

Naavi

Posted in Cyber Law | Tagged , , , , | 2 Comments

Section 79A .. Notification of some Labs as “Digital Evidence Examiner

Posted on April 30, 2018 by Vijayashankar Na

Here is an article from Mr S.Balu, in Section 79A and accreditation of labs as Digital Evidence Examiner. This article was published in the magazine Kakin Pakkam, of the TN police.

Mr Balu was formerly , the DySP in charge of Chennai Cyber Crime cell and was the person responsible for the successful first conviction under ITA 2000 in the case of State of Tamil Nadu vs Suhas Katti.

Presently Mr Balu is the President of Cyber Society of India, Chennai and is a consultant who works with an NGO in Chennai.

Here is the article

Naavi

Posted in Cyber Law | Leave a comment

Is Media guilty of Tampering with the voter’s minds?

Posted on April 30, 2018 by Vijayashankar Na

There is one section of the media commenting on Cambridge Analytica which is strongly critical of the developments in the Cambridge Analytica incident that Digital marketing agencies are manipulating public opinion through campaigns designed by profiling the voters. In the context of the forthcoming election in Karnataka, it is being stated that some Digital marketing companies are engaged in an unethical activity of trying to change the mindset of the voters.

In these discussions, the media has been completely hypocritical and their bluff needs to be called. Every marketing activity in the world is changing the decision of the target audience to take a favourable decision about a product. Marketing per-se is therefore a legitimate activity. In Marketing or Advertising  however we make a distinction between “Ethical” and “Unethical” communication.

If the Advertiser is making false propositions through his advertisement, it is unethical and fraudulent and needs to be condemned. But if the advertiser is using a creative communication to make the target audience believe that the product being marketed is beneficial to him because it has some features , X,Y, Z, then it is perfectly legitimate.

Similarly, in the election advertising, what we the citizens as well as the Election commission has to see is whether the message used in the advertisement is true, false or utterly false and misleading.

As regards profiling, it is for the marketing agencies to use their own analysis of the data available to them to decide what communication is good for a given audience. If this is called “Profiling”, it is nothing but “Market Segmentation”.

Hence the objections to the profiling activities of Digital marketing Companies is misplaced since the same objections can be placed on every other advertisement including the advertisement for a chocolate or for IPL.

Another major objection I have for media talking about “Trying to manipulate the voter’s mind” through advertising by digital media marketers is to ask a question to these media gurus whether journalism is nothing but creating “opinions” and “Changing opinions”?.

Every media article is written with the objective of conveying an opinion. The days of “Factual Reporting” which was happening in Government controlled AIR and DD in the past is no longer there.

Most TV news today is about “Debates” in which different political parties speak to support their own political agenda and the Anchors provide opportunities for spokespersons to speak lies after lies in the interest of “Balancing” the debate. Depending on the Anchor’s own prejudice, they add to the lies. The entire debate is therefore only directed towards forming a public opinion and there is no ethics in TV journalism today.

In the Karnataka election, Rahul Gandhi speaks of “Being against Corruption” and “Being Religious”. Is there a greater joke than such statements?. The journalists of all hue and cry talk as if these statements deserve to be publicised in TV and not censored straight away by the anchor at the debate table.

If journalists want to complain about Digital Marketing and “Tampering with the voter’s mind” then they should first stop the false campaigns they make on TV debates with the hope that some of the audience will get converted.

But what these journalists donot understand is that public are intelligent and they can see through the statements of the politicians immediately. Most debates therefore are a waste of time and audience are either not listening or listen selectively.

I therefore urge that media should think of changing their debate style and eliminate all political spokespersons from the debate and stick to discussion of issues by professionals who can comment on the issue irrespective of whether it is advantageous to one political party or the other.

The election commission should see how they can regulate these debates in which false statements are made  deliberately and maliciously. These are worse than advertisements and should be stopped on ground of “Ethics” as well as “Fraud” on the voters.

Will the election commission be fair  Will the Journalists be honest in this respect?

Naavi

Posted in Cyber Law | Leave a comment