Naavi.org

In a widely circulated media report today, it is indicated that the Government will be following a cross border personal data transfer in DPDPB2022 by indicating a negative list of countries to which data may not be transferred, leaving a large number of countries to which data can be transferred freely.

Identical stories indicating a PR release have appeared in ET, INC42, BS, DH, Telenet, Beamstart, newsncr, shafaqna, cxo-today etc. Most of these articles appear to have originated from ET. It is surprising to see even Business Standard quoting an article from Economic Times. Normally publications like Business Standard publish news directly gathered by them and not repeat the article from their rival publication. But this time it has reproduced the entire article word for word and even acknowledged the source as ET. We are aware that ET has in the past is known to have published planted stories trying to create an opinion convenient to the large industries.

We donot know if this is one such planted story. We need to await the final version from the MeitY to understand if this is the correct version of the Government.

For the records, the Minister has been quoted to have stated as follows:

At one place it refers to the source as a “Top lawmaker” and in another place it quotes the name of “Rajeev Chandrashekar, MOS”.

As could be expected, the move has been welcome by Nasscom and some other experts who hail it as the right move to avoid disruption and improve the ease of doing business.

To me however, this move if it is true, appears to be a retrograde move that shows the colonial subjugative mindset of our Government that accepts the GDPR prescription of “No Transfer without Adequacy” but thinks that we should give a “By Default permission to transfer data”. I donot understand why we should not keep up the earlier version which indicated that there would be a “Whitelist” of countries to which data can be transferred.

“The centre is likely to notify a “negative list” of countries to which data pertaining to Indian users cannot be transferred, a top lawmaker told ET.

This change is being mooted in the upcoming draft of the Digital Personal Data Protection Bill (DPDPB), 2022.

As a result, cross border data flow will be enabled across all countries “by default” unless a nation is on the negative list, the minister of state for electronics and IT, Rajeev Chandrasekhar said.”

Placing any country in a “Negative List” is considered as an “International Sanction” and could be either opposed as a bad foreign policy or countered with reverse sanctions.

On the other hand, a “Positive List” would have enabled India to have an across the table negotiation on equal terms.

It was Mr Rajeev Chandrashekar himself who had told earlier that they would create “Data Trust Zones”. That was a very innovative thought. The current proposal is a dilution of the Cross Border Transfer restrictions and is against the policy that could have encouraged more data storage business in India.

I wish the report in ET is not true. It could be a manipulated report of some remark made by the Minister.

Naavi

When Internet was first introduced with the World Wide Web, the world was excited. We all thought that an “Information Super Highway” has been created and it will bring the Encyclopedia Britannica into my desktop. No doubt this happened and for some time, www and information available under GUI was the backbone of many of us converting the information available into more useful niche level knowledge. Most of the time in such exercises, the www was feeding some information which we humans interpreted, gave new meanings and developed into a value added information. Naavi.org creating “Cyber Jurisprudence” is one of the examples of this.

The only thing we were worried at that time was the presence of “Viruses” that would bloat and make the hard disk crash unless they are removed. We were worried that some anti virus software companies may be deliberately creating such viruses to boost their sales. The Internet thrived and e-Commerce gained popularity. With this all our financial transactions got trapped in the Internet world and gave scope for “Virus” to become a “Trojan” and a malware that could commit financial crimes.

At that time one of the suggestions, I used to talk about was to keep the physical Banks separate from Internet and create new E-Banking channels under the laws of E Commerce instead of the laws of Banking. I advocated that Banks should open Internet Banking accounts separate from the physical Banking accounts so that the risks could be contained. But technology enthusiasts did not agree. They combined Internet Banking into physical Banking and all Interent Risks became Risks in Banking transactions for every body. The scope for Anti-Virus or Anti-Malware expanded. These risks are now reflecting in the form of Phishing, Ransomware etc.

Further the development of Social Media made e-mail based interactions much more exciting and brought in real time discussions into our society. We all got addicted and started become part of the “Peer-to-Peer Media”. We started believing Twitter to be more reliable than the news papers or the TV.

As a result of these developments, we have successfully replaced the trusted systems of news in the society, trusted systems of financial transactions and made us all dependent on the Internet based services which are fraught with greater risks.

Any attempt at increasing the security in terms of “Encryption” soon created it’s own monster such as the Crypto Currency which started destroying the economic system and funding cyber crimes and Cyber Terrorism.

The use of “Bots” in messaging services destroyed the reliability of Twitter as a source of user generated news since it became the purveyor of fake news and created a manipulated media.

But all these problems seem to be insignificant when we consider the latest threat that is hitting us namely the “ChatGPT”.

Chat GPT has become a craze but it is likely to become one of the biggest menaces of the society soon.

US seems to be going crazy with the adoption of ChatGPT to replace jobs and to generate content for the web which itself is the feedstock for further training of the new versions of the ChatGPT. ChatGPT will be trained on its own outputs and if its output is inefficient or wrong, it will only get re-inforced and future outputs will become more and more inefficient, unrustworthy. The US courts seem to believe that Judiciary can use ChatGPT to write judgements and US Bar Council may think that robots can become lawyers in the Court.

ChatBots will therefore rule the web world and it will be difficult to distinguish real data from ChatGPT created data.

Today there is an article in The register titled “AI-generated art can be copyrighted, says Us officials -with a catch” . According to this article, US authorities may recognize “Copyright” if content is created by humans using Chat GPT. Considering the skill in asking questions to ChatGPT, it appears that the US authorities are willing to recognize “Dependent Creativity” as copyrightable. In this respect ChatGPT will be considered just like any other tool such as the Word or Power Point that helps in creating literary work with automatic formatting, spelling corrections etc. This view will be contested but soon the supporters of ChatGPT will over ride any counter views and provide acceptability to ChatGPT as a tool that can be used to create Copyrightable works.

The fact that these developments are creating existential threats to the human race is being forgotten in the excitement over this “Innovation”. Just as in the early days of Bitcoin, all of us were so enamored by the technology behind Bitcoins that except for the crazy persons like the undersigned the world was bowled over by Bitcoins and let it become a Frankenstein monster. Today regulators are struggling to reign in the adverse impact of Private Crypto currencies and its ability to corrupt the decision makers and the Judiciary. Indian Supreme Court itself supported Bitcoin at one point of time and if it was not for the RBI with its current generation of policy makers, Bitcoin would have become part of our economic system by now since the bureaucracy politicians and Judiciary had already been compromised to different extent.

A similar situation is now developing in the ChatGPT and AI area. The regulators are hesitating to control the technological innovation and we are sinking deeper and deeper into a hole with each passing day and are likely to reach a stage of no return soon.

I have already flagged this existential threat of Chat GPT going rogue in my earlier articles highlighting the Kevin Roose interview. Now there is another example of how ChatGPT is misbehaving and already showing signs of rogue behaviour. I want everyone to study the following article in The Register

A detailed study of this article would reveal that the questions I have been raising on why did “Sydney” respond the way it did to Kevin Roose are also questions which others in the world are raising. The author of the above article Alexander Hanff has highlighted the fact that ChatGPT declared him dead and invented evidence to substantiate it’s reply. In the Kevin Roose case we rationalized the rogue behaviour as a mischievous behaviour of a creative ChatBot hallucinating in finding the continuity of the conversation. But the Alexandar Haff conversation reflects the “Malevolent nature” which is a revelation of a criminal mind inside ChatGPT.

How did the benign program develop a criminal mind is for the technologists to explain. But for the observers of the AI world who have a balanced view of the need for technological innovation to be balanced with the mitigation of risks to the society, (Let us call these AI-baiters as the AI-Heavy water), the behaviour exhibited by the ChatGPT current version is threatening enough to raise alarm.

The alarm is that we are already getting late in introducing the AI regulation. We need to regulate the development of AI similar to the way we control the Fission and Fusion reactors for energy production in reactors rather than the uncontrolled fission/Fusion in the bombs.

I have been suggesting that we should start our regulations in India by interpreting ITA 2000 in a specific manner introducing accountability for the developers of Chat GPT type of AI tools and make them respsonsible as Intermediaries for any adverse effect created by their tools.

In the meantime, some of the consultants such as Mrs Karnika Seth has developed a full fledged draft law for AI regulation itself. I am providing a link to the draft law which can be discussed separately.

The development of a draft law indicates that if the Government wants to start acting on AI regulation, they can take off quickly. Hope this would be done as soon as possible.

Naavi

While the DPDPB 2022 was under formulation, Naavi.org had discussed certain desired changes in the law which are available at the following link;

https://www.naavi.org/shape_of_things_to_come/

Amongst the several things discussed, we had discussed some aspects of the new DIA during September 2022. At that time, there was a possibility that there could have been a single Act for both Personal Data and Non Personal Data Protection/Governance. In particular, we refer to the following articles.

Regulation of Monetization of Data in NPDAI and IRCTC issue: Shape of Things to Come..13 (Monetization)

Digital India Act-4: Online gaming

How NFTs can be used for “Wash Trading”

Digital India Act…Discussions-3: Is Blockchain covered under the ITA 2000?…

Digital India Act…Discussions-2: When a Metaverse Avatar abuses another avatar…

Whenever Law feels tougher, Criminals Squeal.. Shape of Things to Come-Digital India Act-1

We may now observe that the new version of the law also refers to a coverage on Monetization .

We need to see how the DPDPB2022 be integrated to the concept of Monetization. Hopefully “Anonymised Personal Data” will be available for monetization under DIA along with non personal data. Some of the suggestions of the Kris Gopalakrishna report on monetization of non personal data may also be included in this Act.

Naavi

The Digital India Act as proposed which was unveiled by the MeitY during their public consultation session in Bangalore has spoken of “Online Safety and Trust” as one of the objectives of the proposed laws. At the same time it appears that there will be a detailed regulation of different types of intermediaries.

The proposal only speaks of empowering agencies like CERT-IN for cyber resilience etc. At the same time the existing ITA 2000 has the Digital Media Regulations which will continue in the new DIA. These regulations help us in managing cyber crimes involving “Fake News”

However, what we are presently witnessing in the Internet space is much beyond “Fake News”. With George Soros kind of enemies of the country ably assisted by the insider politicians, we are witnessing the “Weaponization” of the so called “News”. This is creating a trust deficit in the Internet besides the political disharmony created in the society. This was flagged by Mr Rajeev Chandrashekar in the following slide.

It is necessary to observe if the new DIA is capable of regulating this kind of weaponized dis-information without fuelling the opposition bogey of “Democracy under threat”. The Supreme Court is incapable of dealing with such issues since they will look at any such report under the only consideration of “Freedom of Press”.

It is necessary for the Government to bring in an appropriate legal base to recognize the concept of “Information War” and invoke the relevant provisions of IPC like Section 121. The “Toolkit” used by the Information Warriors should be declared as “Digital Arms” and suppliers of such toolkit should be brought under Section 122/123 of IPC.

Naturally the “Intermediaries” who donot exercise due diligence will become part of the “Enemies of the State” and a legal basis is created for necessary action.

The term “Press”, “Media” etc are presently used loosely and they enjoy the recognition as the fourth estate. However, when media houses are owned by corporate entities and owners like George Soros have declared their intentions to bring about regime change, their status has to be re-designated as “Propaganda Machines” and handled accordingly.

I am not sure if the Government has the courage to take such bold steps. But a debate in this regard is necessary.

Naavi

ITA 2000 was had provided the Power of Adjudication under Section 46. Under this section any dispute arising out of a contravention of ITA 2000 in which financial compensation has to be received by a person who has suffered a wrongful harm may be adjudicated. In 2003 the rules of Adjudication was announced and subsequently, every IT Secretary of a State or Union Territory was designated as an Adjudicator for the State.

Naavi was the person who pursued the first adjudication in India in the case of S. Umashankar Vs ICICI Bank in which a complaint had been filed with the Adjudicator of Tamil Nadu for compensation regarding a Phishing fraud of which Mr Umashankar was a victim. Mr Umashankar was an NRI and the case was fought by the undersigned under a Power of Attorney.

Though the rules of Adjudication expected settlement within 4 months and a possible extension of another 2 months and the appeal to be settled at the Cyber Appellate Tribunal within the next six months, the Umashankar cases registered in 2008 saw the first award by the adjudicator in 2010 on which an appeal was filed by ICICI Bank. The appeal was disposed off only in 2019 since the Cyber Appellate Tribunal was not operative for about 6 years.

Subsequently ICICI Bank filed the next appeal at the Madras High Court which dismissed the appeal in November 2022. This was a historic judgement details of which are available at www.naavi.org.

This case was indicative of a successful handling of adjudication despite the delay.

Naavi has also handled many other cases of Adjudication and in one of the cases encountered an adjudicator at Karnataka with an undisclosed vested interest in the case which resulted in a strange decision. That decision has held up the settlement for more than 10 years.

Typically we have seen apathy in handling adjudication cases by IT Secretaries and lack of legal knowledge as in the case of the Karnataka Adjudicator.

Hence I had suggested that a separate Adjudicator should be appointed exclusively under ITA 2000 and further that it can be a two member bench with one of them being a tech expert and another a legal expert.

In DIA more reliance is being placed on the system of Adjudication and tendency indicated is increasing of the penalties requiring a more responsible handling of the cases. Further the changes sought to be made in DIA will increase the cyber crimes and need for financial compensation to be dicided.

In cases where there are conflicts of interest such as when the IT Secretary has some interest in the activities of one of the litigants (such as an IT company doing business with the state Government) the Adjudicator should recuse himself and appoint an alternative adjudicator or the adjudication should be conducted by an adjudicator of a neighbouring state. (If online methods are adopted, the issues related to travelling etc can be avoided)

Presently the Cyber Appellate Tribunal has been merged with the TDSAT and TDSAT is located in Delhi only. Originally Cyber Appellate Tribunal was supposed to be able to have benches in different cities and hold hearings near the place of the victim. Alternatively TDSAT should do hearings through virtual conferences to reduce the cost of litigation.

In the DIA, these requirements need to be addressed to make adjudication people friendly.

Naavi

In introducing the need for a new Act namely Digital India Act to replace the existing ITA 2000, the Government has identified 5 distinct changes in the environment since 2000 as follows.

Out of the five identified developments, it is easy to understand the numeric growth of Internet users from 5.5 million to 850 million. This is because the cost of Internet access has become very low and also the web content has become more useful. But some of the other reasons stated is not correct.

For example, ITA 2000 never stated that there is only one kind of intermediary, namely the Internet Service Provider.

In ITA 2000, the definition of Intermediary was :

“Intermediary” with respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;

In the 2008 version, the definition was changed to the following:

“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search enginers, online payment sites, online-auction sites, online market places and cyber cafes.

Along with this definition, Section 79 spoke of the safe harbour provision, and it introduced a condition (in 2008 version) that the protection under Section 79 was available only if the intermediary does not initiate a transaction or select the receiver of the transmission and select or modify the information contained in the transmission. As a result the definition of the intermediary got altered. But since most intermediaries could not satisfy these conditions, they were practically not intermediaries.

While the definition of the Intermediary was linked to a transmission of a message and could be expanded to any service which was passive, it could not be applied for Section 79 purpose to services where there was an element of monetization which required management of the service in such a manner that the intermediary chose the receiver, the supplier and also what modifications were to be made to the message.

If therefore only the ISPs and MSPs had the pure characteristics of an Intermediary eligible for Section 79, there were many other types of intermediaries who did not come under section 79 protection because of their business model. The definition could be interpreted in such a manner that a Fintech platform could be an intermediary while the Banks/Fintech companies riding on the platform were not. A Bank could not be a beneficiary in respect of customer information since it was using customer information for its business but could be an intermediary in respect of the insurance marketing service it might have been rendering to their insurance subsidiary.

The different types of intermediaries now being identified as OTT, Gaming etc were all “Intermediaries” under the ITA 2000 and MeitY had the power to introduce due diligence obligations on them. Even services such as Domain Name Registrars, hosting companies, Cloud service providers were all “Intermediaries” under the current law and hence it is incorrect to say that there is a need to change the law because of this reason. The Government has in the past failed to assert its right to regulate the intermediaries and often catapulted under a legal challenge. It was the fear of bad media that kept the Government from introducing the required changes. Even now the Gaming Regulations are only issued for public comments and not issued as an operative direction.

As long as the Government is hesitant to make proper interpretation of the law, even if new definition of intermediaries are introduced in DIA, the law will remain unimplemented.

Discussion continues…

Naavi