Smart Cities in India and ITA 2008

Posted on March 25, 2018 by Vijayashankar Na

When ITA 2000 was drafted, the concept of “Smart Cities”, “Driver less cars” or “Artificial intelligence” or “Humanoid Robots” were not very much in the realm of the vision of the law makers. The main objective was to provide facilitation of E Commerce.

In 2008 ITA 2000 was extended to provide some additional security against Cyber Crimes. At this time, the focus was on “Intermediary Liability” but still the vision was restricted to liability arising out of crimes occurring on E Commerce platforms and to what extent the owner of the platform should be held liable for the offences committed by third party users.

In the context of the Smart Cities, where there is a huge dependence of the infrastructure on “Automated Sensors” which collect data and pass it on to a central processor and the Central processor is programmed to take automated decisions based on the data input and send back operational instructions to decision enforcement mechanisms, there is a debate on whether ITA 2008 can address the new challenges thrown by the Smart city eco system.

In this process, we have legal queries on whether we are violating “Privacy” while our sensors collect information and whether mistakes committed by our “Central Processors” armed with Big data analytic capabilities using Artificial intelligence are punishable as cyber crimes, etc.

The recent Uber autonomous car accident in Arizona has highlighted the consequence of failures by the sensors or the processing systems.

Also, Big Data Analysis which takes raw data from some source and adds intelligence to it to make it more useful information for third parties has raised issues of “Ethics” as we see in the Cambridge Analytica case.

It is interesting to note that without any inclination of such possibilities, ITA 2000 provided that “An action by an automated system is attributable to the person who caused it to behave automatically”. By this one section, all actions of automated systems have been brought under legal scrutiny just as if some human was sitting there and operating the system though he might have used an algorithm as a tool. Such person could be the owner of the system like Uber in the Arizona case.

It is open to Uber to hold the software developer or the sensor manufacturer for their part of failure of the warranty depending on the contractual obligations. Under Section 79 of ITA 2000/8, read with Section 85,  criminal punishments can also be imposed on the intermediaries and their executives for the adverse action by the automated systems.

If therefore in a smart city, automated systems cause any accident, Indian law has some body to be held accountable.

As regards the Big Data analytics, current practice is to depend on the “Consent” obtained by the “Data Collector” who collects the personal data.

If the data collector adds value to the information then the right over the value addition is claimed by the person who added the value. This is recognized under the IPR.

The value added information is different from the raw data handed over by the data subject and hence the contract of data collection has to specify if the data subject permits creation of value over the raw data provided by him and whether he is entitled to any benefits there of. Otherwise he may not be able to object to the value creation.

Naavi has recommended earlier that personal data should be treated as a property and could be made transferable for a consideration with a royalty payable to the data subject if value is encashed by the data collector. However a proper mechanism does not exist for this purpose and hence the value adder is free to make profit on the basis of the raw data supplied by the data subject.

However, when the value addition processing of personal data leads to creation of any “Profile Data” which is used in such a manner as to defame the data subject it may be considered punishable whether or not there was a consent or whether the data was collected from the data subject or from a third party.

The “permission to transfer” and the “Conditionalities of such transfer” inherent in the consent determine whether the Data analytics becomes a “privacy issue” or not.

The damage created by an aggregator or processor of data to the data subject is not much different from the damage that may be created by a malicious person who may hack into CCTVs or other devices of another owner and use it for unauthorized surveillance or DDOS attacks. With Smart cities using CCTV and other monitoring devices in plenty, it is a fertile ground for misuse by hackers if the security is weak.  The legal implication of such damages (eg Dyn Attack) is determined under Section 43A of ITA 2008 which imposes “Reasonable Security Practices” on the owner of a device.

The data aggregators or value processors are however in the nature of “Intermediaries” and their liabilities will be determined with the application of the “Due Diligence” principles.

One Due Diligence aspect that can be considered when personal data is transferred to another person is to transfer the data along with the consent so that the down stream data processor is aware of the consent restrictions. But this again is not an established practice but can be considered.

Hence “Self imposed Ethical Standard” as due diligence is the only available means through which the down stream user of data can be expected to protect the privacy of a data subject with whom he does not have direct contractual contact.

Also, when data is transferred from one data collector to another data processor, if the data is pseudonomized, then the obligations of both the data collector as well as the down stream processor would be either absent or substantially reduced. This can happen in many instances of research but not when the processing intended to be used for marketing. But “Marketing” is almost always a category of use that is prohibited in any consent and hence can be considered as a “Presumption” unless the contrary is proved by an “Explicit Consent”.

When “Artificial Intelligence” is used in a Smart City scenario, the sensors (Including CCTVs equipped with face recognition or Gait recognition) are “machines” which collect the personal data. The “Privacy Breach” therefore is not evident unless the data is disclosed to a human being. As long as the data is being processed within the system, it is difficult to say if the “Privacy has been breached” though it could be a step towards eventual breach of privacy.

Again this is a grey area for law and we need to consider that just as we say “Privacy” is a right available only for “identifiable, living individuals”, we can define that a “Breach of Privacy” is recognized only when a “Living individual” accesses “identifiable personal data” without the consent of the data subject.

With such a definition, the Smart City processing can be largely relieved of the privacy obligations as any data which is collected can be filtered into “Suspect person’s personal Data” and “Non Suspect person’s personal data” with the non suspect person’s personal data being de-identified by the machine itself.

Only the “Suspect person’s personal data” may be escalated to human intervention and as long as the machine (or the person who owns its actions) can justify “Reasonable Doubt” as to why the data subject should be considered as a “Suspect”, Privacy breach may not be considered to have occurred.

Presently, these thoughts are being presented as an extension of the present laws. If this is universally accepted, then we may not need a separate Cyber law for Smart cities. If not, we may consider some amendments to ITA 2008 to add clarifications necessary to expand some of its provisions as may be required.

Naavi

 

 

Posted in Cyber Law | Leave a comment

CCTV footages.. Whose property is it any way?

Posted on March 23, 2018 by Vijayashankar Na

Dr Pratap Reddy, Executive Chairman of Apollo Hosiptal has stated that  Apollo Hospital had turned off CCTV cameras placed in the ICU when the late Tamil Nadu Chief Minister J.Jayalalitha was undergoing treatment. (Refer report here).

In the light of a strong suspicion that Ms Jayalalitha could have been murdered by a political conspiracy, the action of Apollo Hospital in deliberately switching off the CCTV footage raises a question if Apollo Hospital and Dr Pratap Reddy should face criminal charges of abetting a murder? If there was a facility of CCTV in a hospital, there must be a reason. Mr Pratap Reddy should explain why CCTV was being run when every other ordinary patient was there without regard to their Privacy but only when Ms Jayalalitha was in the hospital, it was switched off.

Similar issues have come to the fore in the case of Sunanda Pushkar suspected murder case where CCTV footages at Hotel Leela Palace went missing. There are many other instances where either the Police have seized the CCTV device and later said that they did not find anything in the DVD or the private establishment which maintained the CCTV  itself said that the CCTV was not functioning when a VVIP crime took place right under its nose.

As a result, the ubiquotous CCTV they want and claim that it was not available when there is a VVIP pressure to suppress truth.

This incident highlights an important policy issue in the country about the Privacy implications of installing CCTVs in public and semi-public places. The Srikrishna Committee working on the new Data Protection law in the country needs to take this into consideration and make a specific provision to ensure that if CCTV with or without face recognition or Gait recognition capability is a tool of security for the community and is permitted to be installed in public places (and Semi-public places) without considering it as a “Privacy Breach”, then there has to be accountability for the footage captured.

We should not allow the CCTV footages to be selectively used  as evidence in some cases and selectively ignored in other cases without the owner being prima facie suspected of having erased evidence when he claims that the CCTV footage in a particular instance is not available. At least he should be made liable to provide proper explanation under the “Due Diligence” concept why in a specific instance the device was not functioning.

If any person provides a “Consent” (express or deemed) to be subjected to being monitored in a given situation, then the data collected about himself and his behaviour should be treated as the property of the data subject. He should have the right to ask for a copy if required. Privacy laws such as the GDPR provides a right to erasure, right to rectification and right for portability of personal data and the CCTV footage must be treated as “personal data” of the data subject. The CCTV data collector cannot be allowed arbitrarily to state that in some cases data is available and in some other cases it is not available.

This principle should be tested now by subjecting Apollo Hospital to a rigorous criminal investigation in respect of the suspected murder of J.Jayalalitha. Simultaneously, I draw the attention of the Justice Srikrishna committee to incorporate such provisions as necessary in the new Data protection act to make CCTV managers accountable to what they collect as data claiming exemption from general Privacy principles through either for  “National Security”  reasons or under the cover of a “Consent”.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Cambridge Analytica and Indian Cyber Laws

Posted on March 22, 2018 by Vijayashankar Na

The news report that Personal profiles of 50 million Face Book users was collected and unauthorizedly used to help Trump win an election has opened  a new debate on Privacy and Data Protection in India. BJP and Congress parties are fighting on TV to blame each other that they are also indulging in a similar misuse of personal data while the local subsidiary of Cambridge Analytica (CA) which is the firm accused of the misuse claims to have served both BJP and Congress in different elections.

Much of the debate that is happening in this connection appears to be dishonest and hypocritical and the bluff has to be called.

We must first recognize that the CA is supposed to have collected the data through an App which was voluntarily downloaded by users who gave a consent for the access of their personal information. The person who collected the information based on the consent provided used it as a data for some kind of research for targeted advertising. The research was bought by Trump’s campaign managers and hopefully he was benefited.

Just as in India anything done by Modi is objected to, the Anti Trump brigade is accusing as if US election was tampered because of the profiling of the consumer research company and the targeted advertising for which it was used. Even if the firm had done a “Psychological Profiling” from the data available, as long as the data was in the public domain or out of an informed consent, there is no breach of Privacy. There are FinTech companies who do data analytics for fixing credit limits and if data analytics is used to create innovative advertising, it is neither a surprise nor some thing to be scoffed at.

This sort of data collection from public resources or from informed consent cannot be objected to just because we donot like Mr Trump winning.

If there is any real objection, one has to go into the fact of whether the “Informed Consent” was actually through a fraud and if so the data collector namely the British academic “Aleksandr Kogan” has to be brought to book.

Presently all Privacy Laws place faith on such consents. But if the Data Collector breaches the agreement and sells the data to another person who uses it for a purpose other than the purpose for which it was provided, it has to be objected to only on grounds of “Breach of Contract, Breach of trust” etc.

As regards the third party who bought to the data, data protection acts need to impose a “Due Diligence” obligation to disclose and get consent from the data vendor that the purchased data can be used for a specific purpose. Since “Advertising” is a legitimate purpose, if the data collector offers a data for advertising to an advertiser and the advertiser may  buy it under the premise that the data subject must have provided the necessary consent.

Is the secondary data user expected to check if the original consent provided to the data collector permits  such use or not is a matter yet to be clearly defined in law though it could be an ethical and moral issue. Also in many cases, even the buyer may not be aware how exactly he is going to use the data and how he can benefit from it. He may be simply buying it speculatively and discover some value added derivatives out of it which he may trade.

It is therefore hypocritical for us to express surprise that FB data could be used for profiling and profiled information can be used for advertising and such advertising could be for political campaigns. All this has to be expected in the era of Big Data anaytics and Artificial Inteligence.

In fact while the laws or privacy so far have missed the need to impose “Due Diligence” by the secondary user of personal data and this can be taken note of and included in the Indian Data Protection Laws, we can draw attention to Section 66B of the ITA 2008 which provides a possibility for “Stretching the legislative intent indicated in the section” to cover the misuse of data. Section 66B is actually meant for punishing the use of stolen computers and mobiles and uses the term “dishonestly receives and retains any stolen Computer Resources”. If we can consider data as a computer resource and the act of use of data for a purpose other than what it was meant as “Stealing”, then Section 66B can be stretched to the data misuse scenario though it is not recommended.

May be the Justice Srikrishna panel may include a clause that

“Any user of personal data shall exercise due diligence to ensure that the purpose for which it may be used is consistent with the consent provided”

Perhaps this is the lesson we can take out of this incident apart from what we have already discussed as to the need of an intermediary called “Data Trust” in the Data Protection environment.

Naavi

Posted in Cyber Law | Tagged , , , , , , , | Leave a comment

Can Maharashtra Government Amend IT Act?

Posted on March 20, 2018 by Vijayashankar Na

A news report from UNI states that the Minister of State for Home (Urban) in Maharashtra, Mr Ranjit Patil has made a statement in the legislative Council of Maharashtra that “Maharashtra Government will amend Information Technology Act to regulate illegal online betting and curb debit and credit card frauds”.

The intention of the Minister to control a Crime committed through Internet is well appreciated. However, it is necessary to explore

a) Is the amendment of ITA 2000/8 required to take action against an online betting website?

b) Is the State Government empowered to amend ITA 2000?

If “Betting” is illegal, it is so whether it is done with paper or electronic documents or using digital communication. Prosecution of “Illegal betting” can always be launched under IPC using electronic evidence presented properly under Section 65B of Indian Evidence Act. Hence there is no need to amend ITA 2000/8 and the Government need not waste its time on this matter.

Further the powers of State Government are defined under Section 90 of ITA 2000 which states as under:

Section 90 Power of State Government to make rules

(1)The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.
(2)In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely –
(a)the electronic form in which filing, issue, grant receipt or payment shall be effected under sub-section (1) of section 6;

(b)for matters specified in sub-section (2) of section 6;

(3)Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.

These powers are limited to “Making Rules” to carry out the provisions of the Act and does not extend to “Making New Law”.

If it is required to make any amendments, the amendments have to be proposed in the Parliament and passed as a central legislation. One example of such powers would be to carry out the requirements of Sections 6,6A,7,7A,8 or 9 of ITA 2000/8 which relate to E-Governance. Some powers under Sections 69 also may require rules to be made under local laws.

In the past some States did pass laws for Cyber Cafes under the local Police Acts but now there is a separate Cyber Cafe regulation under ITA 2000/8 itself. Some State Governments have used its powers to designate “Protected Systems” under Section 70 though it is considered prudent that the notification under Section 70 should be from the Central Government.

I hope that the Maharashtra Government takes note of the limitations to State Powers under ITA 2000/8 and does not pass any legislation which may not stand the test of law if challenged. if not challenged, such “Ultra Vires” legislation create  problems in future when convictions are challenged under the unconstitutionality of the laws.

What Maharashtra Government can do

If the State Government of Maharashtra has to take steps in strengthening the Cyber Crime system in the State, they need to focus on improving their Cyber Crime Policing system which requires urgent attention.

I have brought to the attention of the Maharashtra Police through these columns one instance where  the Cyber Crime Police Station in BKC, Mumbai failed to undertake investigation of a simple complaint made by a multi national company which required urgent action to trace the IP address from which some offending e-mails were being sent. Neither the officials in charge of Cyber Crime Police Station nor the Police in the jurisdictional police station to which the case was transferred took any action to resolve the case. The top officials of the State police also failed to respond to the request from the undersigned and the case went dead.

There is no use in trying to amend the laws and introduce unnecessary new provisions just to claim that the Government is taking some action. There is need to ensure that Police in the Cyber Crime police stations and the Jurisdictional police stations are properly trained both in the skills required for resolving Cyber Crimes and also the attitude required to help victims of Cyber Crimes without corruption. This will atleast ensure that current laws would be properly implemented.

I have made some suggestion in my earlier article titled How to Relieve Cyber Police in India of needless burden and make them more focused  to improve the Cyber Crime investigation at the base level of IP address resolution. If  Maharashtra Government is interested in improving Cyber Crime handling in the State, I request them to consider the suggestion made here to ensure that Cyber Crime Complaints are resolved more efficiently than at present. This is well within the powers of the State Government.

I appeal  to the  CM of Maharashtra, besides the Minister of State, Mr Ranjit Patil to consider the suggestion made.

Naavi

Posted in Cyber Law | Leave a comment

Autonomous Car Accident opens debate on legal responsibility

Posted on March 20, 2018 by Vijayashankar Na

An unfortunate but historic event occurred in Arizona on 19th March 2018 when a Self Driving Uber Car hit and killed a woman crossing the street in Arizona. (Refer Reuter article here).

The pedestrian who lost her life was a 49 year old lady by name Elaine Herzberg. It appears that there were no passengers in the vehicle but a driver was behind the wheels though the car was under auto pilot mode. The vehicle is said to be going at a speed of 40mph at the time of the accident (Refer abcnews.com).

This may not the first accident of a driver less car but is considered as the first accident of such a car resulting in a fatality. Uber has rendered its apology (Refer guradian) and statistics are out to say that accidents do happen even in manually driven cars. It has also suspended operation of its autonomous cars across USA and sent a team to investigate the cause.

According to one statement, the driver could have technically over ridden the auto mode. This raises several legal issues on fixing of responsibility for the accident. Was it the inability of the manual driver behind the wheels that caused the accident? or Was it the AI driving the vehicle? If so, is Uber responsible for the accident? If Uber has bought the software from a software company, was it responsible for the accident?

There has to be a forensic investigation of what went wrong since there could be several independent components of the car such as navigation, brakes, the sensors etc which had to act in coordination and failure could have occurred in any of these parts. Functionality of each of these parts could be the responsibility of different companies who were sub contractors of Uber.

Will the current Cyber Laws be able to meet such requirements? is the first question that crosses our mind. In India an “Automated” activity is attributed to the person who “Caused” the system to behave automatically.

In this case, the Car behaved maliciously because the sensor failed to detect the obstacle and instruct the brake system and/or the brake system failed to react in time. The person who was responsible for the sensor, internal communication and brake systems as well as the aggregate owner namley Uber have direct and vicarious liabilities. Each will declare their “Due Diligence” and try to shift the blame to another. May be there will be need for Section 65B certificate of evidence countered by a Section 79A accredited Digital Evidence Examiner for a Court to consider the liability.

Whatever the law may say, if this accident had occurred in India the first attempt of any person who may be held responsible is to ensure that the evidence is tampered with. The Police as they do in the case of other cases where CCTV footage is seized will try to take control of the car with its internal data and the fate of the case would depend on whether they would faithfully preserve and produce the data to the Court. In all probability the politicians will try to intervene and ensure that the reputation of its favoured people is not damaged. They may some how prove that all the forensic data was corrupted and is not available or produce select data to prove that the person behind the driving wheel had the manual control at the time of the accident and was responsible for the accident and not the “Car Company”.

I am sure that Arizona Police will be more objective and try to scientifically analyze the causes for the accident and contribute to the development of the science behind the creation of driver less cars. In that context, we can consider this as an “Accident” and look at the statistics and proceed to learn from the accident and proceed.

But one important requirement in such cases is to ensure that the “Evidence” does not get destroyed or is left to the whims and fancies of one agency ..even the Police. Also in a more violent accident the physical damage to the vehicle can destroy the evidence also.

Hence there has to be a “Black Box” that is not tamperable capturing encrypted data which can be decrypted only by a reliable authority. Also good part of the data should be transferred in real time out of the control of the Car owner to a remote location to be opened only under judicial intervention.

Securing the evidence in such cases is very important for the development of secure driverless cars for the future.

Naavi

Also Read:

Self Driving Cars attacked in California

NewYork Times Report

USA Today Report

Heavy.com report

No Signs of slowing..says Police

 

Posted in Cyber Law | Tagged , , , , | 1 Comment

Where do I start my GDPR compliance?

Posted on March 17, 2018 by Vijayashankar Na

Many organizations in India are now concerned about the need to be compliant with GDPR before the deadline of 25th May 2018. They must be receiving many e-mails from their business partners abroad with the query “Are You GDPR Compliant”?. There is therefore a scramble in the industry circles about how to be GDPR compliant in quick time.

Any compliance program is a “Journey”. It is not completed in a day. In any compliance journey it is always tough to make the beginning. Once begun, the task is half done. The same applies to GDPR compliance also. Start your GDPR compliance and you would be able to say “I am in the process of achieving GDPR Compliance”.

The first milestone to achieve is “We are GDPR Ready”. This GDPR readiness is important for all data processors who are now negotiating a data processing contract with a EU GDPR sensitive business partner who is constrained to ask the question about your GDPR readiness before starting the business dialogue with you. Before GDPR sensitive data comes into the systems and it is operated in a compliance regime for some time, it is not possible to test the real GDPR compliance of any organization.

Hence, before the actual processing of GDPR sensitive data commences and it is observed for a certain period, it is difficult to jump to the conclusion that any organization is “GDPR Compliant”. If they have instituted all measures required for compliance, the organization may however declare themselves to be “GDPR Compliance Ready” and nothing more.

Indian Companies who are Data Processors need to understand that their main obligation is with the Data Controller who hands over the “Personal Data” which comes under the material scope of the GDPR (Article 2.1) under a “Processing Contract”. The main liability for GDPR compliance is for the Data Controller and not the Indian Business Associate. (Unless the Indian Company is more than a mere Business Associate for data processing but indulges in direct collection of relevant data.).

The First question which any Indian company has to ask a controller is therefore,

Do you have a GDPR Compliance Check list for a non EU data processor? If so, please share it with us and we will make necessary arrangements. Otherwise, we are “Ready” to understand what could be your requirements and how it can be met at our end.

I will not be surprised if many of the Data Controllers think that EU GDPR is also applicable to extra territorial jurisdictions like India and India does not have any other local laws which may be in conflict. They may therefore presume that you are as much aware as them about GDPR and there is no need for them to tell you how to be GDPR compliant.

If you have such a client, then you can tell them,

“Yes, we are aware of GDPR and if you want, we can think on your behalf and implement GDPR for you. But this will be a GDPR consultancy contract and different from the Data Processing contract and will be charged separately”

Do Indian Companies have the negotiating strength to say as suggested?…. Each company needs to ask itself.

GDPR imposes liability mainly on the Data Controller and expects them to implement the Compliance requirements at the design stage of the process. It is only the Data Controller who knows what for the data is being collected and how it needs to be processed. It is only the Data Controller who has access to the drafting of the “Informed Consent” and getting it from the Data Subject. The Data Processor is not directly involved in determining the purpose of collection and the processing requirements.

There may be an exceptional case where the Data Controller has the right to determine how the data has to be collected but engages a sub contractor to create and manage a website or a system through which the data is collected after providing the necessary disclosures and obtaining the consent. In such a case, the Data Processor is himself the “Data Collector”. But still it is the responsibility of the Data Controller to specify in the service contract how the Data Collector cum Data Processor collects and processes the data.

Hence the “Data Processing Engagement Contract” becomes the key to start GDPR compliance and will be the starting point for compliance in India. Either the Data Controller has to come up with one such document or say, we donot have a detailed agreement on how the GDPR compliance is required to be done but please consider the GDPR document as part of this agreement. Interpret it in your context and be compliant.

An Indian company keen on the business may jump at such an opportunity with or without charging extra fees for consultancy. However in such cases the responsibility to interpret GDPR clauses shifts to the Indian company. We all know that legal interpretations are always daisy. There may be differences  in interpretation and the interpretation of the Indian company may not be agreed upon by the EU company when a dispute actually arises.

Hence in such cases, it is necessary for the local company to conduct a GDPR Impact analysis in the context of what is envisaged in the contract and develop a written document that is sent to the principal for his information and confirmation. In this document, the obligations that the local company takes and the obligations it does not want to take or cannot take because of conflict with the local laws can be specified.

Once this “GDPR Impact Assessment and Implementation Plan” is documented in a contractually agreeable manner, the Indian company can go ahead and implement the requirements from the technical perspective, test it to the extent possible and if everything goes well call itself “GDPR Compliant”.

The principal has the right to inspect the implementation plan, run his own tests and be satisfied beyond the claims of the local company at any time either before starting the processing contract or later.

Since there is a cost to “Getting GDPR Ready”, if the Data Controller imposes a condition that “You should be GDPR ready before …. and I will inspect and have the right to reject”, the local company should either take the cost of getting GDPR ready as a cost of business promotion or collect it separately as additional preparatory cost.

I presume that wise Indian companies have already adopted these measures.

Naavi

Posted in Cyber Law | Leave a comment