Information Technology Ministry

Government Never Threatened Staff of Social Media Platforms With Jail Term: IT Ministry

The statement comes a month after the Centre and Twitter faced off over the former’s demand to remove accounts and posts related to the farmers’ protest.

New Delhi: The government has never threatened employees of any social media platform, such as Twitter, of jail term, the IT Ministry has said.

Reacting to reports that alluded to Facebook, WhatsApp and Twitter employees being threatened with jail term, the ministry said social media platforms are “obliged to follow the laws of India and the Constitution of India, just like all other businesses in India have to.”

“As has been conveyed on the floor of parliament, users of social media can criticise the government, the prime minister or any minister but promotion of violence, rampant communal divide and stoking the flames of terrorism will have to be reflected upon,” it said.

The ministry’s statement comes a month after it faced off with microblogging platform Twitter over its demand to remove hundreds of posts and accounts relating to the farmers’ protest that it said violated rules. Many of these accounts used a controversial hashtag. Twitter initially did not fully comply but fell in line after the government warned the social media giant it could face ‘penal action’.

“None of the government communications, either written or oral, have ever threatened the employees of any of the social media platforms of jail term,” the ministry said.

“The government welcomes criticism and dissent. However, of late, repeated instances of abuse of social media to foment hate, discord and violence by terrorist groups from outside India and circulation of morphed images of women, revenge porn posing threat to the safety of users especially women users have become grave concerns,” it said.

The IT Ministry also addressed the recently notified IT Rules, which have come under criticism for giving the Central government sweeping and unprecedented oversight of over the top streaming platforms, digital news media outlets and social media platforms. The ministry said that the rules pertaining to social media simply require the platforms to put in place a robust grievance redressal mechanism for users.

Too Many Questions Remain Unanswered in India’s Proposal to Regulate Non-Personal Data

The expert committee’s report recognises the need to address the imbalances in power between those collecting the data and those most affected by it, but ultimately fails to adequately address the source of inequities in the digital economy.

On July 12, 2020, a committee of experts established by the government of India proposed a regulatory framework for ‘non-personal data’, which may well define the future of India’s digital policy.

The expert committee’s draft report has proposed an entirely new regulation for ‘non-personal data’, entailing an attempted definition of ownership rights over data with ‘communities’, and establishing a regulatory authority to make rules about data governance and use.

Non-personal data, such as data about the environment, production processes, or geospatial information, holds both public and economic value, but its collection and use can equally produce collective harms.

Take, for instance, the increasing ‘datafication’ of agriculture – where data collected about agricultural processes, which includes data about milk production, soil conditions, or pesticide use. This type of data is rarely about specific persons, and therefore does not fall under the scope of personal data protection law. However, who gets to collect, share and use agricultural data matters. Farmers could utilise such data to grow crops more efficiently, limit pesticide use and to move away from monocultures. However, the same data can be collected from farmers without their knowledge or consent, and then monitor a farmer’s ability to pay for inputs, lock them into services and machinery, or manipulate commodity markets. In short, it can further increase a farmer’s dependence on suppliers of seeds, fertilizers and pesticides.

Also read: Examining India’s Quest to Regulate, Govern and Exploit Non-Personal Data

How then, do we ensure that the economic and societal value of this data is unlocked, while safeguarding against the various harms to the communities that relate to the data?

One of the highlights of the Expert Committee’s report is that it clearly recognises the need to address the imbalances in power between those collecting the data and those most affected by it, and promises to foreground the interests of communities. However, despite its seemingly radical agenda, it ultimately fails to adequately address the source of inequities in the digital economy, or justify the forms of regulation that have been proposed.

The Committee’s recommendations stem from its equation of data to a resource or commodity, which is best governed through the allocation of ownership rights and by promoting its most economically efficient use. The committee’s recommendations are focused on ‘unlocking’ value in existing forms of data, primarily through mechanisms for data sharing between businesses and government. This is an explication of the common refrain that ‘data is oil’ and a valuable commodity with economic potential.

However, this conception of data is limiting in many respects. First, it ignores that ‘data’ is not merely something that is ‘captured’ by existing data businesses or technology providers, but rather reflects the motives, assumptions and biases of the people and the firms which collect and utilise this information. The processes and business models of ‘datafication’ are mired in a reductionist conception of people and spaces as resources and commodities.

Also read: Panel of US Firms to Push Back Against India’s Regulation of Non-Personal Data

The top-down approach taken by the Committee is insufficient to challenge this problem. Bottom-up approaches must consider the technical standards, technologies and the institutions which collect and utilise information, and establish agency over each of these elements.

Who gets to collect, share and use agricultural data matters. Photo: Dominik Hundhammer/CC BY-SA 3.0

Second, defining rights in data as those of ‘ownership’ can limit the range of interests which can be reflected in data. In particular, we need to look beyond economic interests and also consider the various other rights or interests that may be involved in different forms of information. In the case of agricultural data, for example, we may consider the interests of farmers who could benefit from crop sowing data, or consider environmental interests in developing agricultural practices that are safe and sustainable. Ultimately, these are questions about the governance of the data collection and processing which must be decided by the communities about whom the data pertains.

A policy framework for the governance of data must take into account the overlapping and occasionally contested interests in such governance, which need to be accounted for not only at the level of the individual, but also at the level of collective governance.

Trust, but not blindly

As a solution to the twin problem of collective harm and lack of communal control over data, the Committee proposes to grant communities collective ownership and management rights over their data through institutions known as ‘data trusts’. The generally agreed on definition of a data trust is that it is a legal relationship between trustees, who steward data rights, those who hand over their rights for stewarding by the trustee and the beneficiaries of the trust. As an example: rights over agricultural data could be placed in a trust by the holders of those rights, to be stewarded for the benefit of the farmers (or for general public benefit). The key component of a data trust is the fact that trustees hold a fiduciary duty of loyalty. That is, they can only act in the sole interest of the beneficiaries.

Also read: Why India’s Proposed Data Protection Authority Needs Constitutional Entrenchment

Institutions like data trusts are an important addition to the conversation on forms of data governance. However, whether communal data rights and data trusts would indeed empower, instead of harm, communities depends in large part on their implementation. The Committee’s recommendations, unfortunately, raise more questions than they answer.

First of all, the report assumes an identifiable, pre-existing community, whose interests can be protected by allocating ownership rights to them. However, contemporary data analysis and automated decision making technologies challenge this notion. When it comes to data, communities could span virtual realms that do not adhere to geographical boundaries. Who then decides what constitutes a community? Is it the members themselves? Or would this decision be made by a central authority?

The key component of a data trust is the fact that trustees hold a fiduciary duty of loyalty. Photo: Pixabay

Another concern is the lack of consideration given to the question of who should be the ‘trustee’ of the data, which exercises rights on behalf of the community. From the examples provided by the Committee, these could range from existing government agencies to voluntary groups. However, the Committee fails to account for independence and conflict of interest, which are crucial factors for the governance of a trust. For example, a government agency may wish to access information about a community to fulfil its own responsibilities, creating a conflict with the interests of the community.

Finally, nothing is said about how decisions will be made about how data is collected, shared and used. Data trusts are primarily a legal instrument, which leaves the problem of governance largely undetermined. In our view, a legitimate data trust should be one in which the various voices within a community are heard and decisions made by trustees are transparent and can be challenged by those who are affected by them.

On the whole, while it is laudable that important questions of data governance are being given consideration, the recommendations of the Committee are substantially underdeveloped. The Committee fails to both adequately assess the reasons for the inequities in the data economy, nor does it provide a workable framework for community-led governance of non-personal data. A mature policy on non-personal data that truly respects the rights of communities to control if they want data relating to them to be collected or shared needs to carefully consider questions of community representation, governance and legitimacy, and addresses questions of agency and self-determination.

Divij Joshi is a Mozilla Fellow working on tech policy in India. Anouk Ruhaak is a Mozilla Fellow working on collective data governance.

Panel of US Firms to Push Back Against India’s Regulation of Non-Personal Data

US-India Business Council called imposed data sharing “anathema” to promoting competition.

India’s plan to regulate “non-personal” data has jolted US tech giants Amazon.com Inc, Facebook Inc and Alphabet Inc’s Google, and a group representing them is preparing to push back against the proposals, according to sources and a letter seen by Reuters.

A government-appointed panel in July recommended setting up a regulator for information that is anonymised or devoid of personal details but critical for companies to build their businesses.

The panel proposed a mechanism for firms to share data with other entities – even competitors – saying this would spur the digital ecosystem. The report, if adopted by the government, will form the basis of a new law to regulate such data.

But the US-India Business Council (USIBC), part of the US Chamber of Commerce, calls imposed data sharing “anathema” to promoting competition and says this undermines investments made by companies to process and collect such information, according to a draft letter for the Indian government.

“USIBC and the US Chamber of Commerce are categorically opposed to mandates that require the sharing of proprietary data,” says the USIBC’s previously unreported letter, which is likely to be completed and submitted in coming weeks to India’s information technology ministry.

“It will also be tantamount to confiscation of investors’ assets and undermine intellectual property protections.”

A USIBC spokeswoman had no comment on the draft letter. The US Chamber of Commerce didn’t respond to Reuters’ queries.

The head of the panel, Kris Gopalakrishnan, a founder of Indian technology giant Infosys Ltd, said the group will work with the government to review input from the industry.

India’s Ministry of Electronics and Information Technology, Amazon, Facebook and Google did not respond to requests for comment. The report is open for public comments until September 13.

“Forced data sharing”

India’s plan to regulate non-personal data is the latest irritant for US tech companies that have been battling tighter e-commerce rules and data storage norms that several countries are also developing.

New Delhi and Washington are already at odds on such issues, as well as over digital taxes and tariffs.

The USIBC draft letter says “forced data sharing” will limit foreign trade and investment in developing countries, and the panel’s proposals run against Prime Minister Narendra Modi’s calls for US companies to invest in India.

The lobby group expresses concern about the panel’s recommendation to mandate local storage for non-personal data, describing this as a “dramatic tightening” of India’s international data transfer regime.

“These are far-reaching concepts that would have a significant impact on the ability of both Indian and multinational firms to do business in India,” Washington-headquartered law firm Covington & Burling said in a note prepared for the USIBC, which was also seen by Reuters.

The law firm did not respond to a request for comment.

The Indian panel has listed research, national security and policymaking among purposes for which such data should be shared. Three sources said tech executives participated in several meetings in recent weeks to discuss concerns over the report.

Anxious to Block Parliamentary Panel Probe Into Illegal Snooping, BJP Suffers Rare Defeat

After first agreeing that the agenda for the Standing Committee on IT would cover the Pegasus/WhatsApp snooping scandal, BJP MPs, evidently on instructions from their high command, tried unsuccessfully to scuttle meeting.

New Delhi: In a rare defeat for the ruling Bharatiya Janata Party in parliament, the Standing Committee on Information Technology voted on Wednesday to take up allegations that dozens of citizens were subjected to illegal surveillance by one or more entities in India using an Israeli malware called Pegasus that is installed surreptitiously on smartphones via WhatsApp.

The allegations surfaced earlier this month when it emerged that human rights activists, lawyers, journalists and even politicians in India had been illegally spied upon. Pegasus is sold by an Israeli company called NSO, which needs to procure a license from the Israeli government’s Defence Export Control Agency for every overseas sale.

Congress MP Shashi Tharoor, who chairs the IT committee, shared a statement with the committee members in early November noting that it was important for the parliamentary panel “to establish whether the government has written or complained to the NSO Group about its action in installing the hack required to intercept communications. This is all the more important, since reports suggest that the NSO Group only provided this technology to governmental bodies and not to private citizens.”

“Before passing any judgment,” Tharoor wrote, “we must ascertain the veracity of the information reported in the media. These reports, and the alleged use of the technology, are a matter of grave concern. Therefore, the Standing Committee will consider this matter at its next meeting, scheduled on November 20th.”

Tharoor’s note incorporated two suggestions BJP MP Rajyavardhan Rathore had made to the Lok Sabha secretariat. Accordingly, the agenda was finalised and three Union secretaries – from the IT ministry, the home ministry and the Department of Atomic Energy – were asked to present themselves before the standing committee at 3 pm on November 20.

Though the Lok Sabha speaker had approved the agenda and none of the committee’s members had raised any objection, Rathore took the floor as soon as the meeting was called to order. Citing Rule 331E of the Rules of Procedure and Conduct of Business in Lok Sabha, he insisted the panel did not have the mandate to discuss the WhatsApp snooping matter and that the agenda be scrapped.

This was countered by Mahua Moitra of the Trinamool Congress, who said the same rule made it clear the committee was empowered to consider the ministry’s annual report and since cyber security figured as a subject in the IT ministry’s report, the standing committee had every right to discuss the manner in which Pegasus/WhatsApp was used to spy on citizens.

At this point, the BJP MPs changed tack and invoked Rule 261 – “All questions at any sitting of a committee shall be determined by a majority of votes of the members present and voting”. Rathore and Nishikant Dubey said they wanted the committee to vote on whether they could take up the current agenda.

The IT committee has 31 members, of which 16 are either affiliated with the BJP or are government-nominated MPs. At the meeting on Wednesday, 24 MPs were in attendance of which the BJP’s strength was 12. There were, in addition, one MP each from NDA allies Lok Janashakti Party and Shiv Sena, besides one MP each from the TRS and YSR Congress, both of which have tended to side with the BJP.

Knowing the numbers were on his side, Rathore demanded a vote. After some argument on whether the vote would be by a show of hands or a secret ballot, an open vote was held in which 12 MPs supported the scrapping of the agenda while 12 – including the Sena, LJP and TRS – wanted the Pegasus matter to be taken up.

At this point, Tharoor threw the rule book back at the BJP MPs. “In the case of an equality of votes on any matter, the chairperson or the person acting as such shall have a second or casting vote,” says Rule 262 and Tharoor declared the motion (to scrap the agenda) defeated.

According to parliamentary sources, “two and a half hours were wasted” in these procedural wrangles and the secretaries, who were waiting outside all the while, were finally asked to come in at 5:30 pm.

Officials stonewall

IT secretary Ajay Sawhney told the panel that the government was yet to receive any formal communication from WhatsApp about the security breach and that it was up to the affected individuals to pursue the remedies available to them under the Information Technology Act.

Sawhney and other IT ministry officials also said that “officially, we have no names of the affected people.” At this point, Rathore and Dubey insisted that Tharoor not refer to them as “victims”.

The home secretary, who had to leave for a meeting with home minister Amit Shah after waiting two hours, deputed another MHA official to answer questions on behalf of the ministry. According to sources, this official reportedly said that the law permitted specified government agencies to intercept the communication of citizens but that he had no information about the use of Pegasus.

When MPs asked why the government had made no effort to find out from the Israeli government – which licenses each sale of Pegasus – who NSO’s customers in India are, the officials had no answer.

SC Issues Notice To Facebook, Google, Other Internet Majors on Sharing of Sexual Assault, Cybercrime Videos

The apex court sought responses from Google, Yahoo, Microsoft and Facebook on NGO Prajwala’s plea seeking blocking of rape videos.

A man uses the Facebook mobile app. Credit: melenita2012/Flickr(CC BY 2.0)

New Delhi: The Supreme Court on Monday sought responses from three Internet search engines and social networking site Facebook on a plea that sought curbs on sharing of videos related to sexual offences and cybercrime.

A bench comprising Justice Madan B. Lokur and Justice Uday Umesh Lalit sought responses from Google India, Yahoo India, Microsoft Corporation (India) Ltd. and Facebook by January 9 on NGO Prajwala’s plea seeking a defined place where one could report such rape videos and seek their blocking.

The court’s notices for response came during the course of hearing of a letter by Hyderabad-based non-governmental organisation Prajwala along with two rape videos. Two videos submitted in a pen drive showed a man raping a woman and another man filming it.

The NGO’s lawyer Aparna Bhat said videos of sexual offences are shot and posted online, and pleaded for court directions to them to take steps to curb cybercrime.

As the court sought responses on the plea, Additional Solicitor General Maninder Singh told the bench about the steps taken by the government and the Central Bureau of Investigation (CBI) to curb cybercrime.

The CBI happens to be the nodal agency to deal with the cases of cybercrime.

The government said this in response to an August 28 direction by the top court, asking the Information Technology Ministry about the way it could assist in reporting and blocking videos of rape under the Protection of Children from Sexual Offences Act, 2012, which are in circulation on social networking websites.

As ASG Maninder Singh said that a debate is on in the country and abroad on making public the identity of sexual offender, the court said the identity of an alleged rape offender should not be made public merely on the registration of an offence but only after conviction.

The court said if a person gets acquitted even then he would suffer damage to his image because of prior disclosure of his identity. “It will tarnish the image of a person, [even] if he is acquitted in the sexual offence case,” the bench said.

The bench said if a person is acquitted of a sexual offence, the CBI will not investigate him for the cybercrime aspect of the offence.

Pointing to National Crime Record Bureau statistics on a sharp rise in cases of sexual violence against children, the apex court asked the Centre to include in the list of measures for curbing crimes against women, the steps to protect children from sexual violence.

The NGO’s co-founder Sunitha Krishnan is engaged in the rescue and rehabilitation of victims of trafficking for sex trade.