Category: Newsletter

Metadata by TLF: Issue 7

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Israel spyware ‘Pegasus’ used to snoop on Indian activists, journalists, lawyers

In a startling revelation, Facebook owned messaging app WhatsApp revealed that a spyware known as ‘Pegasus’ has been used to target and surveil Indian activists and journalists. The revelation came to light after WhatsApp filed a lawsuit against the Israeli NSO Group, accusing it of using servers located in the US and elsewhere to send malware to approximately 1400 mobile phones and devices. On its part, the NSO group has consistently claimed that it sells its software only to government agencies, and that it is not used to target particular subjects. The Indian government sought a detailed reply from WhatsApp but has expressed dissatisfaction with the response received, with the Ministry of Electronics and Information Technology stating that the reply has “certain gaps” which need to be further investigated.

Further reading:

  1. Sukanya Shantha, Indian Activists, Lawyers Were ‘Targeted’ Using Israeli Spyware Pegasus, The Wire (31 October 2019).
  2. Seema Chishti, WhatsApp confirms: Israeli spyware was used to snoop on Indian journalists, activists, The Indian Express (1 November 2019).
  3. Aditi Agrawal, Home Ministry gives no information to RTI asking if it bought Pegasus spyware, Medianama (1 November 2019).
  4. Shruti Dhapola, Explained: What is Israeli spyware Pegasus, which carried out surveillance via WhatsApp?, The Indian Express (2 November 2019).
  5. Akshita Saxena, Pegasus Surveillance: All You Want To Know About The Whatsapp Suit In US Against Israeli Spy Firm [Read Complaint], LiveLaw (12 November 2019).

RBI raises concerns over WhatsApp Pay

Adding to the WhatsApp’s woes in India, just after the Israeli spyware Pegasus hacking incident, The RBI has asked the National Payments Corporation of India (NPCI) not to permit WhatsApp to go ahead with the full rollout of its payment service WhatsApp Pay. The central bank has expressed concerns over WhatsApp’s non-compliance with data processing regulations, as current regulations allow for data processing outside India on the condition that it returns to servers located in the country without copies being left on foreign servers.

Further Reading:

  1. Karan Choudhury & Neha Alawadhi, WhatsApp Pay clearance: RBI raises concerns data localisation concerns with NPCI, Business Standard (7 November 2019).
  2. Aditi Agarwal, ‘No payment services on WhatsApp without data localisation’, RBI to SC, Medianama (9 October 2019).
  3. Sujata Sangwan, WhatsApp can’t start payments business in India, YOURSTORY (9 November, 2019).
  4. Yatti Soni, WhatsApp Payments India Launch May Get Delayed Over Data Localisation Concerns, Inc42 (9 October 2019).
  5. Priyanka Pani, Bleak future for messaging app WhatsApp’s payment future in India, IBS Intelligence (9 November 2019).

Kenya passes new Data Protection Law

The Kenyan President, Uhuru Kenyatta recently approved a new data protection law in conformity with the standards set by the European Union. The new bill was legislated after it was found that existing data protection laws were not at par with the growing investments from foreign firms such as Safaricom and Amazon. There was growing concern that tech giants such as Facebook and Google would be able to collect and utilise data across the African subcontinent without any restrictions and consequently violate the privacy of citizens. The new law has specific restrictions on the manner in which personally identifiable data can be handled by the government, companies and individuals, and punishment for violations can to penalties of three million shillings or levying of prison sentences.

Further reading:

  1. Duncan Miriri, Kenya Passes Data Protection Law Crucial for Tech Investments, Reuters (8 November 2019).
  2. Yomi Kazeem, Kenya’s Stepping Up Its Citizens’ Digital Security with a New EU-Inspired Data Protection Law, Quartz Africa (12 November 2019).
  3. Kenn Abuya, The Data Protection Bill 2019 is Now Law. Here is What that Means for Kenyans, Techweez (8 November 2019).
  4. Kenya Adds New Data Regulations to Encourage Foreign Tech Entrants, Pymnts (10 November 2019).

Google gains access to healthcare data of millions through ‘Project Nightingale’

Google has been found to have gained access data to the healthcare data of millions through its partnership with healthcare firm Ascension. The venture, named ‘Project Nightingale’ allows Google to access health records, names and addresses without informing patients, in addition to other sensitive data such as lab results, diagnoses and records of hospitalisation. Neither doctors nor patients need to be told that Google an access the information, though the company has defended itself by stating that the deal amounts to “standard practice”. The firm has also stated that it does not link patient data with its own data repositories, however this has not stopped individuals and rights groups from raising privacy concerns.

Further reading:

  1. Trisha Jalan, Google’s Project Nightingale collects millions of Americans health records, Medianama (12 November 2019).
  2. Ed Pilkington, Google’s secret cache of medical data includes names and full details of millions – whistleblower, The Guardian (12 November 2019).
  3. James Vincent, The problem with Google’s health care ambitions is that no one knows where they end, The Verge (12 November 2019).
  4. Rop Copeland & Sarah E. needlemen, Google’s ‘Project Nightingale’ Triggers Federal Inquiry, Wall Street Journal (12 November 2019).

Law professor files first ever lawsuit against facial recognition in China

Law professor Guo Bing sued the Hangzhou Safari Park after it suddenly made facial recognition registration a mandatory requirement for visitor entrance. The park had previously used fingerprint recognition to allow entry, however it switched to facial recognition as part of the Chinese government’s aggressive rollout of the system meant to boost security and enhance consumer convenience. While it has been speculated that the lawsuit might be dismissed if pursued, it has stirred conversations among citizens over privacy and surveillance issues which it is hoped will result in reform of existing internet laws in the nation.

Further reading:

  1. Xue Yujie, Chinese Professor Files Landmark Suit Against Facial Recognition, Sixth Tone (4 November 2019).
  2. Michael Standaert, China wildlife park sued for forcing visitors to submit to facial recognition scan, The Guardian (4 November 2019).
  3. Kerry Allen, China facial recognition: Law professor sues wildlife park, BBC (8 November 2019).
  4. Rita Liao, China Roundup: facial recognition lawsuit and cashless payments for foreigners, TechCrunch (10 November 2019).

Twitter to ban all political advertising

Twitter has taken the decision to ban all political advertising, in a move that increases pressure on Facebook over its controversial stance to allow politicians to advertise false statements. The policy was announced via CEO Jack Dorsey’s account on Wednesday, and will apply to all ads relating to elections and associated political issues. However, the move may only to prove to have symbolic impact, as political ads on Twitter are just a fraction of those on Facebook in terms of reach and impact.

Further reading:

  1. Julie Wong, Twitter to ban all political advertising, raising pressure on Facebook, The Guardian (30 October 2019).
  2. Makena Kelly, Twitter will ban all political advertising starting in November, The Verge (30 October 2019).
  3. Amol Rajan, Twitter to ban all political advertising, BBC (31 October 2019).
  4. Alex Kantrowitz, Twitter Is Banning Political Ads. But It Will Allow Those That Don’t Mention Candidates Or Bills., BuzzFeed News (11 November 2019).

Read more

Metadata by TLF: Issue 6

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Delhi HC orders social media platforms to take down sexual harassment allegations against artist

The Delhi High Court ordered Facebook, Google and Instagram to remove search result, posts and any content containing allegations of sexual harassment against artist Subodh Gupta. These include blocking/removal of social media posts, articles and Google Search result links. The allegations were made about a year ago, by an unknown co-worker of Gupta on an anonymous Instagram account ‘Herdsceneand’. These allegations were also posted on Facebook and circulated by news reporting agencies. An aggrieved Subodh Gupta then filed a civil defamation suit, stating these allegations to be false and malicious. Noting the seriousness of the allegations, the Court passed an ex-parte order asking the Instagram account holder, Instagram, Facebook and Google to take down this content. The Court has now directed Facebook to produce the identity of the person behind the account ‘Herdsceneand’ in a sealed cover. 

Further Reading:

  1. Trisha Jalan, Right to be Forgotten: Delhi HC orders Google, Facebook to remove sexual harassment allegations against Subodh Gupta from search results, Medianama (1 October 2019).
  2. Akshita Saxen, Delhi HC Orders Facebook, Google To Take Down Posts Alleging Sexual Harassment by Artist Subodh Gupta [Read Order], LiveLaw.in (30 September 2019).
  3. Aditi Singh, Delhi HC now directs Facebook to reveal identity of person behind anonymous sexual harassment allegations against Subodh Gupta,  Bar & Bench (10 October 2019).
  4. The Wire Staff, Subodh Gupta Files Rs. 5-Crore Defamation Suit Against Anonymous Instagram Account, The Wire (1 October 2019)
  5. Dhananjay Mahapatra, ‘MeToo’ can’t become a ‘sullying you too’ campaign: Delhi HC, Times of India (17 May 2019).
  6. Devika Agarwal, What Does ‘Right to be Forgotten’ Mean in the Context of the #MeToo Campaign, Firstpost (19 June 2019).

Petition filed in Kerala High Court seeking a ban on ‘Telegram’

A student from National Law School of India, Bengaluru filed a petition in the Kerala high court seeking a ban on the mobile application – Telegram. The reason cited for this petition is that the app has no  checks and balances in place. There is no government regulation, no office in place and the lack of encryption keys ensures that the person sending the message can not be traced back. It was only in June this year that telegram refused to hand over the chat details of the ISIS module to the National Investigation Agency.  As compared to apps such as Watsapp, Telegram has a greater degree of secrecy. One of the features Telegram boasts of is the ‘secret chat’ version which notifies users if someone has taken a screenshot, disables the user from forwarding of messages etc. Further, there are fewer limits on the number of people who can join a channel and this makes moderation on the dissemination of information even more difficult. It is for this reason that telegram is dubbed as the ‘app of choice’ for many terrorists. It is also claimed that the app is used for transmitting vulgar and obscene content including child pornography. Several countries such as Russia and Indonesia have banned this app due to safety concerns. 

Further Reading:

  1. Soumya Tiwari, Petition in Kerala High Court seeks ban on Telegram, cites terrorism and child porn, Medianama (7 October 2019).
  2. Brenna Smith, Why India Should Worry About the Telegram App, Human Rights Centre (17 February 2019).
  3. Benjamin M., Why Are So Many Countries Banning Telegram?, Dogtown Media (11 May 2019).
  4. Vlad Savov, Russia’s Telegram ban is a big convoluted mess, The Verge (17 April 2018).
  5. Megha Mandavia, Kerala High Court seeks Centre’s views on plea to ban Telegram app, The Economic Times (4 October 2019). 
  6. Livelaw News Network, Telegram Promotes Child Pornography, Terrorism’ : Plea In Kerala HC Seeks Ban On Messaging App, Livelaw.in (2 October 2019).

ECJ rules that Facebook can be ordered to take down content globally

In a significant ruling, the European Court of Justice ruled that Facebook can be ordered to take down posts globally, and not just in the country that makes the request. It extends the reach of the EU’s internet-related laws beyond its own borders, and the decision cannot be appealed further. The ruling stemmed from a case involving defamatory comments posted on the platform about an Austrian politician, following which she demanded that Facebook erase the original comments worldwide and not just from the Austrian version worldwide. The decision raises the question of jurisdiction of EU laws, especially at a time when countries are outside the bloc are passing their own laws regulating the matter.

Further Reading:

  1. Adam Satariano, Facebook Can Be Forced to Delete Content Worldwide, E.U.’s Top Court Rules, The New York Times (3 October 2019).
  2. Chris Fox, Facebook can be ordered to remove posts worldwide, BBC News (3 October 2019).
  3. Makena Kelly, Facebook can be forced to remove content internationally, top EU court rules, The Verge (3 October 2019).
  4. Facebook must delete defamatory content worldwide if asked, DW (3 October 2019).

USA and Japan sign Digital Trade Agreement

The Digital Trade Agreement was signed by USA and Japan on October 7, 2019. The Agreement is an articulation of both the nations’ stance against data localization. The trade agreement cemented a cross-border data flow. Additionally, it allowed for open access to government data through Article 20. Articles 12 and 13 ensures no restrictions of electronic data across borders. Further, Article 7 ensures that there are no customs on digital products which are electronically transmitted. Neither country’s parties can be forced to share the source code while sharing the software during sale, distribution, etc. The first formal articulation of the free flow of digital information was seen in the Data Free Flow with Trust (DFFT), which was a key feature of the Osaka Declaration on Digital Economy. The agreement is in furtherance of the Trump administration’s to cement America’s standing as being tech-friendly, at a time when most other countries are introducing reforms to curb the practices of internet giants like Google and Facebook, and protect the rights of the consumers. American rules, such as Section 230 of the Communications Decency Act shields companies from any lawsuits related to content moderation. America, presently appears to hope that their permissive and liberal laws will become the framework for international laws. 

Further Reading:

  1.     Aditi Agarwal, USA, Japan sign Digital Trade Agreement, stand against data localisation, Medianama (9 October 2019).
  2.     U.S.-Japan Digital Trade Agreement Text, Office of the United States Trade Representative (7 October 2019).
  3.   Paul Wiseman, US signs limited deal with Japan on ag, digital trade,Washington Post (8 October 2019).
  4.   FACT SHEET U.S.-Japan Digital Trade Agreement, Office of the United States Trade Representative (7 October 2019).
  5. David McCabe and Ana Swanson, U.S. Using Trade Deals to Shield Tech Giants From Foreign Regulators, The New York Times (7 October 2019).

Read more

Metadata by TLF: Issue 5

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

RBI Releases Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators

The RBI on 17th September released a discussion paper on comprehensive guidelines for the activities of payment aggregators and payment gateway providers. It was acknowledged that payment aggregators and payment gateways form a crucial link in the flow of transactions and therefore need to be regulated. The RBI has suggested that these entities be governed by the Payment and Settlement Systems Act, 2007 which requires all  ‘payment systems’ (as defined in the Act) to be authorised by the RBI. Additionally, different frameworks have been proposed for regulating payment aggregators and payment gateways, and full and direct regulation has been discussed in detail. This would entail payment aggregators and gateway services to fully comply with any guidelines issued by the RBI.

Further Reading:

  1. Trisha Jalan, RBI proposes regulation, licensing of payment aggregators and gateways, Medianama (18 September 2019).
  2. Full regulation by RBI will require payment gateways, aggregators to be incorporated in India, The Hindu (18 September 2019).
  3. Shayan Ghosh, RBI could bring payment aggregators, gateways under direct supervision, livemint (18 September 2019).
  4. RBI paper on payment gateways: Maintain Rs. 100 crore net worth or wind up operations, moneycontrol, (19 September 2019).

Twitter removes more than ten thousand accounts across six countries

Political turmoil and instability in countries is majorly aggravated by the internet and various portals online. In light of this crisis, Twitter has decided to remove more than ten thousand accounts across six countries. These accounts were found to be actively spreading unrest in countries which were already in the wrath of a political turmoil. Twitter removed more than four thousand accounts in United Arab Emirates and China, around thousand in Ecuador, and more than two hundred in Spain.

Twitter has been making an active effort since the past one year to identify and remove accounts which were agitating sensitive issues in countries facing crisis. Online portals even have the power to sway the election processes in Democratic countries. In order to curb these impending threats, Twitter has been removing certain accounts on its platform. Even though thousands of new accounts are created everyday and several people have termed this removal process as arduous and never ending, these measures have to be taken.

Further Reading:

  1. Trisha Jalan, Twitter removes 10,000 accounts from six countries for political information operations, Medianama (23 September 2019).
  2. Ingrid Lunder, Twitter discloses another 10,000 accounts suspended for fomenting political discord globally, Tech crunch (20 September, 2019).
  3. Abrar-al-Hiti, Twitter reportedly removes over 10,000 accounts that discourage voting, Cnet (2 November 2018).
  4. Christopher Bing, Twitter deletes over 10,000 accounts, that sought to discourage voting, Reuters (3 November 2018).

California passes AB 5 Bill requiring business to hire workers as employees

California legislators approved a landmark Bill on 11 September, 2019 that has the potential to disrupt the gig economy. The Bill known as “AB 5” requires companies like Uber and Lyft to treat contract workers as employees, which gives hundreds of thousands of California workers basic labour rights for the first time. Apart from its immediate impact, the move by the California legislature might set off a domino effect in New York, Washington State and Oregon, where stalled moves to reclassify drivers might witness renewed momentum. The move has been criticised by ride-hailing firms Uber and Lyft which built their businesses on inexpensive labour, and the companies have warned that recognizing drivers as employees could destroy their businesses.

Further Reading:

  1. Kate Conger and Noam Scheiber, California Bill Makes App-Based Companies Treat Workers as Employees, New York Times (11 September 2019).
  2. Manish Singh, California passes landmark bill that requires Uber and Lyft to treat their driver as employees, Tech Crunch (11 Septemer 2019).
  3. Rosie Perper, California passes landmark bill to treat contract workers as employees, sending it to the governor for signature, Business Insider (11 September 2019).
  4. Alexia Fernandez Campbell, California just passed a landmark law to regulate Uber and Lyft, Vox (18 September 2019).
  5. Andrew J. Hawkins, California just dropped a bomb on the gig economy — what’s next?, The Verge (September 18, 2019).

Microsoft Announces Change in Policies

Microsoft has stated that most large tech law companies, will change the manner in which content is moderated on their social media platforms, irrespective of the US Congress implementing new laws. Their Chief Legal Officer and President, Brad Smith has indicated that most companies will take initiative, irrespective of U.S. Lawmakers. The statement has been made in light of the recent Christchurch shootings which were livestreamed on most social media platforms. Further, major tech companies are responding to the changes in laws around the world. S. 230 of the U.S. Communications Decency Act, 1996 presently protects these companies from being sued on the basis of the content that is uploaded by its users. Microsoft itself has claimed that it has refused the government’s requests for facial recognition software due to the fear that it may be misused. The President of Microsoft has called for other tech companies as well to stop following the “if it’s legal, its acceptable approach” since companies need to start refusing selling their products to certain clients, irrespective of the legality of the action. However, ACLU, senior legislative council has accused Microsoft of continuing to sell software that can track faces and fear in real-time, leading to violation of privacy.

Further Reading:

  1. Sheila Dang, Microsoft’s Brad Smith: Tech companies won’t wait for U.S. to act on social media laws, Reuters (13 September 2019).
  2. Alex Hern, Microsoft boss: tech firm.s must stop ‘if it’s legal, it’s acceptable’ approach, The Guardian (20 September 2019).
  3. Tom Simonite, Microsoft’s Top Lawyer Becomes a Civil Rights Crusader, MIT Technology Review (8 September 2019).
  4. Microsoft’s Brad Smith: Tech Companies Won’t Wait For U.S. To Act On Social Media Laws, Communications Today (15 September 2019).

Read more

Metadata by TLF: Issue 4

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Facebook approaches SC in ‘Social Media-Aadhaar linking case’

In 2018, Anthony Clement Rubin and Janani Krishnamurthy filed PILs before the Madras High Court, seeking a writ of Mandamus to “declare the linking of Aadhaar of any one of the Government authorized identity proof as mandatory for the purpose of authentication while obtaining any email or user account.” The main concern of the petitioners was traceability of social media users, which would be facilitated by linking their social media accounts with a government identity proof; this in turn could help combat cybercrime. The case was heard by a division bench of the Madras HC, and the scope was expanded to include curbing of cybercrime with the help of online intermediaries. In June 2019, the Internet Freedom Foundation became an intervener in the case to provide expertise in the areas of technology, policy, law and privacy. Notably, Madras HC dismissed the prayer asking for linkage of social media and Aadhaar, stating that it violated the SC judgement on Aadhaar which held that Aadhaar is to be used only for social welfare schemes. 

Facebook later filed a petition before the SC to transfer the case to the Supreme Court. Currently, the hearing before the SC has been deferred to 13 September 2019 and the proceedings at the Madras HC will continue. Multiple news sources reported that the TN government, represented by the Attorney General of India K.K. Venugopal, argued for linking social media accounts and Aadhaar before the SC. However, Medianama has reported that the same is not being considered at the moment and the Madras HC has categorically denied it.

Further Reading:

  1. Aditi Agrawal, SC on Facebook transfer petition: Madras HC hearing to go on, next hearing on September 13, Medianama (21 August 2019).
  2. Nikhil Pahwa, Against Facebook-Aadhaar Linking, Medianama (23 August 2019).
  3. Aditi Agrawal, Madras HC: Internet Freedom Foundation to act as an intervener in Whatsapp traceability case, Medianama (28 June 2019).
  4. Aditi Agrawal, Kamakoti’s proposals will erode user privacy, says IIT Bombay expert in IFF submission, Medianama (27 August 2019).
  5. Prabhati Nayak Mishra, TN Government Bats for Aadhaar-Social Media Linking; SC Issues Notice in Facebook Transfer Petition, LiveLaw (20 August 2019).
  6. Asheeta Regidi, Aadhaar-social media account linking could result in creation of a surveillance state, deprive fundamental right to privacy, Firstpost (21 August 2019).

Bangladesh bans Mobile Phones in Rohingya camps

Adding to the chaos and despair for the Rohingyas, the Bangladeshi government banned the use of mobile phones and also restricted mobile phone companies from providing service in the region. The companies have been given a week to comply with these new rules. The reason cited for this ban was that refugees were misusing their cell phones for criminal activities. The situation in the region has worsened over the past two years and the extreme violation of Human Rights is termed to be reaching the point of Genocide according to UN officials. This ban on mobile phones, would further worsen the situation in Rohingya by increasing their detachment with the rest of the world, thus making their lives at the refugee camp even more arduous.

Further Reading:

  1. Nishta Vishwakarma, Bangladesh bans mobile phones services in Rohingya camps, Medianama (4 September 2019).
  2. Karen McVeigh, Bangladesh imposes mobile phone blackout in Rohingya refugee camp, The Guardian (5 September 2019).
  3. News agencies, Bangladesh bans mobile phone access in Rohingya camps, Aljazeera (3 September 2019).
  4. Ivy Kaplan, How Smartphones and Social Media have Revolutionised Refugee Migration, The Globe Post (19 October 2018).
  5. Abdul Aziz, What is behind the rising chaos in Rohingya camps, Dhakka Tribune (24 March 2019).

YouTube to pay 170 million penalty for collecting the data of children without their consent

Alphabet Inc.’s Google and YouTube will be paying a $170 million penalty to the Federal Trade Commission. It will be paid to settle allegations that YouTube collected the personal information of children by tracking their cookies and earning millions through targeted advertisements without parental consent. The FTC Chairman, Joe Simons, condemned the company for publicizing its popularity with children to potential advertisers, while blatantly violating the Children’s Online Privacy Protection Act. The company has claimed to advertisers, that it does not comply with any child privacy laws since it doesn’t have any users under the age of 13. Additionally, the settlement mandates that YouTube will have to create policies to identify content that is aimed at children and notify creators and channel owners of their obligations to collect consent from their parents. In addition, YouTube has already announced that it will be launching YouTube Kids soon which will not have targeted advertising and will have only child-friendly content. Several prominent Democrats in the FTC have criticized the settlement, despite it being the largest fine on a child privacy case so far, since the penalty is seen as a pittance in contrast to Google’s overall revenue.

Further Reading:

  1. Avie Schenider, Google, YouTube To Pay $170 Million Penalty Over Collecting Kids’ Personal Info, NPR (4 September 2019).
  2. Diane Bartz, Google’s YouTube To Pay $170 Million Penalty for Collecting Data on Kids, Reuters (4 September 2019).
  3. Natasha Singer and Kate Conger, Google Is Fined $170 Million for Violating Children’s Privacy on YouTube, New York Times (4 September 2019).
  4. Peter Kafka, The US Government Isn’t Ready to Regulate The Internet. Today’s Google Fine Shows Why, Vox (4 September 2019).

Facebook Data Leak of Over 419 Million Users

Recently, researcher Sanyam Jain located online unsecured servers that contained phone numbers for over 419 million Facebook users, including users from US, UK and Vietnam. In some cases, they were able to identify the user’s real name, gender and country. The database was completely unsecured and could be accessed by anybody. The leak increases the possibility of sim-swapping or spam call attacks for the users whose data has been leaked. The leak has happened despite Facebook’s statement in April that it would be more dedicated towards the privacy of its users and restrict access to data to prevent data scraping. Facebook has attempted to downplay the effects of the leak by claiming that the actual leak is only 210 million, since there are multiple duplicates in the data that was leaked, however Zack Whittaker, Security Editor at TechCrunch has highlighted that there is little evidence of such duplication. The data appears to be old since recently the company has changed its policy such that it users can no longer search for phone numbers. Facebook has claimed that there appears to be no actual evidence that there was a serious breach of user privacy.

Further Reading:

  1. Zack Whittaker, A huge database of Facebook users’ phone numbers found online, TechCrunch (5 September 2019).
  2. Davey Winder, Unsecured Facebook Server Leaks Data Of 419 Million Users, Forbes (5 September 2019).
  3. Napier Lopez, Facebook leak contained phone numbers for 419 million users, The Next Web (5 September 2019).
  4. Kris Holt, Facebook’s latest leak includes data on millions of users, The End Gadget (5 September 2019).

Mozilla Firefox 69 is here to protect your data

Addressing the growing data protection concerns Mozilla Firefox will now block third party tracking cookies and crypto miners by its Enhanced Tracking Protection feature. To avail this feature users will have to update to Firefox 69, which enforces stronger security and privacy options by default. Browser’s ‘Enhanced Tracking Protection’ will now remain turned on by default as part of the standard setting, however users will have the option to turn off the feature for particular websites. Mozilla claims that this update will not only restrict companies from forming a user profile by tracking browsing behaviour but will also enhance the performance, User Interface and battery life of the systems running on Windows 10/mac OS.

Further Readings

  1. Jessica Davies, What Firefox’s anti-tracking update signals about wider pivot to privacy trend, Digiday (5 September 2019).
  2. Jim Salter, Firefox is stepping up its blocking game, ArsTechnica (9 June 2019).
  3. Ankush Das, Great News! Firefox 69 Blocks Third Party Cookies, Autoplay Videos & Cryptominers by Default, It’s Foss (5 September 2019).
  4. Sean Hollister, Firefox’s latest version blocks third-party trackers by default for everyone, The Verge (3 September 2019).
  5. Shreya Ganguly, Firefox will now block third-party tracking cookies and cryptomining by default for all users, Medianama (4 September 2019).

Delhi Airport T3 terminal to use ‘Facial Recognition’ technology on a trial basis

Delhi airport would be starting a three-month trial of the facial recognition system in its T3 terminal. This system is called the Biometric Enabled Seamless Travel experience (BEST). With this technology, passenger’s entry would be automatically registered at various points such as check-in, security etc. Portuguese company- toolbox has provided the technical and software support for this technology. Even though this system is voluntary in the trial run the pertinent question of whether it will remain voluntary after it is officially incorporated is still to be answered. If the trial run is successful, it will be officially incorporated.

Further Reading:

  1. Soumyarendra Barik, Facial Recognition tech to debut at Delhi airport’s T3 terminal; on ‘trial basis’ for next three months, Medianama (6 September 2019).
  2. PTI, Delhi airport to start trial run of facial recognition system at T3 from Friday, livemint (5 September 2019).
  3. Times Travel Editor, Delhi International Airport installs facial recognition system for a 3 month trial, times travel (6 September 2019).
  4. Renée Lynn Midrack, What is Facial Recognition, lifewire (10 July 2019).
  5. Geoffrey A. Fowler, Don’t smile for surveillance: Why airport face scans are a privacy trap, The Washington Post (10 June 2019).

UK Court approves use of facial recognition systems by South Wales Police

In one of the first cases of its kind a British court ruled that police use of live facial recognition systems is legal and does not violate privacy and human rights. The case, brought by Cardiff resident Ed Bridges, alleged that his right to privacy had been violated by the system which he claimed had recorded him at least twice without permission, and the suit was filed to hold the use of the system as being violative of human rights including the right to privacy. The court arrived at its decision after finding that “sufficient legal controls” were in place to prevent improper use of the technology, including the deletion of data unless it concerned a person identified from the watch list.

Further Reading:

  1. Adam Satariano, Police Use of Facial Recognition Is Accepted by British Court, New York Times (4 September 2019).
  2. Owen Bowcott, Police use of facial recognition is legal, Cardiff high court rules, The Guardian (4 September 2019).
  3. Lizzie Dearden, Police used facial recognition technology lawfully, High Court rules in landmark challenge, The Independent (4 September 2019).
  4. Donna Lu, UK court backs police use of face recognition, but fight isn’t over, New Scientist (4 September 2019).

Read more

Metadata by TLF: Issue 3

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our editors put together handpicked stories from the world of tech law! You can find other issues here.

Uber likely to start bus service in India

The San-Francisco cab-aggregator giant, Uber is working on to kick-start an AC bus service in India. With the introduction of AC bus service, Uber is trying to inch closer toward its goals of reducing individual car ownership, expanding transportation access and helping governments plan transportation. Pradeep Parameswaran, Uber India and South Asia head said that “we are in the process of building the product and refining that. Some pilots are live in parts of Latin America and the Middle East. So they are the archetype of markets that would look like India”.

Uber bus will allow commuters to use the Uber app and reserve their seat on an air-conditioned bus. Uber will scan other passengers travelling in the same direction as the rider and hence reaching the destination with fewer stops. Through its bus service, Uber is emphasizing on educational campuses and business centers. Earlier Ola, Uber’s direct competitor, had launched similar kind of bus service in limited cities in 2015 but was stopped in 2018. At present, Gurgaon based Shuttl provides app based bus service to offices. Uber bus service in India is expected to become a reality in mid-2020.

Further Reading:

  1. Moupiya Dutta, Uber will be starting a bus service in India by 2020, TechGenyz (8 August 2019).
  2. Shreya Ganguly, Uber mulls launching bus service in India, Medianama (9 August 2019).
  3. Tenzim Norzom, Ride-hailing major Uber to soon launch bus service in India, Yourstory (7 August 2019).
  4. Hans News Service, Uber to start bus service in India, The Hans India (8 August 2019).
  5. Priyanka Sahay, India may see Uber buses plying on roads in a year, Moneycontrol (8 August 2019).

WhatsApp Hack Can Alter Messages and Spread Misinformation

The Israeli Research Company, Check Point recently revealed that WhatsApp could be hacked causing serious potential security risks to users at the Annual Black Hat Security Conference on 7thAugust, 2019. According to Roman Zaikin and Oded Vanunu, they were able to change the identity of a sender, alter the text of someone’s reply on a group and even send private messages to another member in the group as a public message, such that the reply is visible to all the participants of a group. They were able to exploit the weaknesses of the application, after they reverse-engineered the source code in 2018 and decrypt its traffic. Since then Check Point has stated that it found three ways to manipulate and alter conversations, all of which are exploited through its quoting feature. The creators did warn WhatsApp in 2018 that the tool could be used by ‘threat actors’ to create and spread misinformation and fake news. Facebook has responded stating that the risk is not serious, and to alter the application would mean having to store data about the sender, leading to lesser privacy for its users.

Further Reading:

  1. Davey Winder, WhatsApp Hack Attack Can Change Your Messages, Forbes (7 August 2019).
  2. ET Bureau, WhatsApp hack attack can change your messages, says Israeli security firm, The Economic Times (7 August 2019).
  3. Shreya Ganguly, Messages and identity on WhatsApp can be manipulated if hacked: Check Point Research, Medianama (9 August 2019).
  4. Mike Moore, Hackers can alter WhatsApp chats to show fake information, Tech Radar (9 August 2019).

Facebook’s new entity Calibra raises attention of privacy commissioners

Several privacy commissioners across the world raised concerns over the privacy policy of Facebook’s new Libra digital currency. The countries which have raised concerns are US, UK, EU, Australia, Canada, Albania and Burkina Faso.

Calibra is the new subsidiary of Facebook and its cryptocurrency is called Libra. Calibra hopes to build a financial service on top of the Libra Blockchain. The privacy concerns raised go beyond the question of financial security and privacy because of the expansive collection of data which Facebook accumulates and has access to. Calibra issued a statement that user information will be shared in only certain circumstances but there is no definite understanding of what such situations are. 

Apart from privacy concerns, the joint statement issued by the countries includes several concerns on whether Facebook should be given the right to get involved in the banking sector. If they did, they should seek a new banking charter and should be regulated by all the banking laws. These were few of the concerns raised by privacy commissioners.

Further Reading:

  1. Soumyarendra Barik, Privacy commissioners from across the world raise concerns over Facebook Libra’s privacy risk, Medianama (6 August 2019).
  2. Nick Statt, Facebook’s Calibra is a secret weapon for monetizing its new cryptocurrency, The Verge (18 June 2019).
  3. Reuters, Facebook’s cryptocurrency project raises privacy concerns, asked to halt programme, tech2 (19 June 2019).
  4. Jon Fingas, US, UK regulators ask Facebook how Libra will protect personal data, engagdet (8 May 2019).
  5. Harper Neidig, Global privacy regulators raise concerns over Libra, The Hill (8 May 2019).

EU General Data Protection Regulation exploited to reveal personal data

University of Oxford researcher James Pavur successfully exposed a design flaw in the GDPR, as a bogus demand for data using the “right to access” feature of the regulation saw about one in four companies reveal significant information about the person regarding whom the request was made. Data provided by the companies contained significant information including credit card information, travel details, account passwords and the target’s social security number, which was used by the researcher as evidence of design flaws in the GDPR. Pavur also found that large tech companies did well when it came to evaluating the requests, whereas mid-sized business didn’t perform as well despite being aware of the coming into force of the data protection regulation.

Further Reading:

  1. Leo Kelion, Black Hat: GDPR privacy law exploited to reveal personal data, BBC (8 August 2019).
  2. Sead Fadilpasic, GDPR requests exploited to leak personal data, IT ProPortal (9 August 2019).
  3. John E Dunn, GDPR privacy can be defeated using right of access requests, Naked Security by SOPHOS (12 August 2019).
  4. Understanding the GDPR’s Right of Access, Siteimprov (14 June 2019).

Apple to suspend human review of Siri requests

Human reviewers will no longer be used to study conversations recorded by Siri, according to a recent announcement by Apple. The move gives users a greater degree of privacy over their communications, and analysis of recordings will be suspended while the “grading” system deployed by the company is reviewed. The system refers to the manner in which contractors grade the accuracy of the digital assistant’s voice recognition system, with the primary task being to determine the phrase that triggered action by i.e. whether the user had actually said, “Hey, Siri” or if it was something else.

Further Reading:

  1. Hannah Denham and Jay Greene, Did you say, ‘Hey, Siri’? Apple and Amazon curtail human review of voice recordings., Washington Post (2 August 2019).
  2. Jason Cross, So Apple’s going to stop listening in on your Siri requests. Now what?, Macworld (2 August 2019).
  3. Rob Marvin, Apple to Halt Human Review of Siri Recordings, PC Mag (2 August 2019).
  4. Kate O’Flaherty, Apple Siri Eavesdropping Puts Millions Of Users At Risk, Forbes (28 July 2019).

Read more

Metadata by TLF: Issue 2

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our editors put together handpicked stories from the world of tech law! You can find other issues here.

US Justice Department’s Big Tech Antitrust Scrutiny

The past month saw a slew of antitrust investigations being opened against big tech companies such as Facebook, Google, Amazon, etc. From the EU’s announcement of an investigation into Amazon’s use of third-party retailers’ data, to the CCI’s order against Google for abusing its dominance in the Android market—the wave against Big Tech’s threats to fair competition has spanned jurisdictions.

In the latest development, the US Justice Department has decided to open a broad investigation into Big Tech companies. The investigation follows bipartisan calls from lawmakers for reigning in the threats posed by big tech to the competitive market. According to the agency, the effort aims to explore grievances raised by consumers and business regarding search, social media and online retail services. This could lead to a heightening of calls for Amazon, Google and Facebook to be broken up. Such companies, especially Facebook, have already faced heat for the way they handle vast amounts of data and jeopardise privacy of individual people.

Further Reading:

  1. Tony Romm, Elizabeth Dwoskin & Craig Timberg, Justice Department announces broad antitrust review of Big Tech, The Washington Post (23 July 2019).
  2. David McLaughlin, Did Big Tech Get Too Big? More of the World is Asking, The Washington Post (26 July 2019).
  3. The Editorial Board, US Justice Department Must Make Antitrust Fit For the Age of Big Tech, Financial Times (28 July 2019).

Australia Competition and Consumer Commission Suggests Crackdown on Google and Facebook

Spelling further trouble for Big Tech, The Australia Competition and Consumer Commission (ACCC) submitted the Digital Report Inquiry on 26 July, 2019 which limits the market dominance of major players including Facebook and Google. The report had 23 recommendations to promote competition and increase privacy of consumers due to the lack of informed consent of consumers that presently exists. Josh Frydenberg, the treasurer of the ACCC, stated that a new division would “lift the veil” on the advertising and marketing algorithms being used by these companies. The division would also be able to conduct public inquiries and require companies to furnish any relevant information. Inquiries can be held about supply of ad services, sufficient transparency over prices and the existence of competition within the market. The report also recommended the implementation of the Australian Law Commission Report, which suggested the introduction of a statutory tort for serious invasions of privacy and a general prohibition on all unfair trade practices. Additionally, the Chairman of the ACCC, Rod Sims, stated that five investigations were underway against Facebook and Google and more could follow.

Further Reading:

  1. Josh Taylor, Facebook and Google face tighter rules in Australia as ACCC releases report, The Guardian (26 July 2019).
  2. Aditi Agarwal, Australian Anti-Trust Challenges Market Dominance of Google and Facebook in Advertising and Online News, Medianama (26 July 2019).
  3. Holistic, Dynamic Reforms Needed to Address Dominance of Digital Platforms, ACCC (26 July 2019).
  4. Tom Westbrook, Australia to ‘lift veil’ on Facebook, Google Algorithms to Protect Privacy, Reuters, (26 July 2019).

POCSO Amendment Bill expands child porn definition

The Protection of Children from sexual Offences (POCSO) Amendment Bill, 2019 introduced in Rajya Sabha by the Women and Child Development Minister Smriti Irani widened the definition of child pornography that now goes beyond videos. The amended definition now involves any photography, video, digital or computer-generated image indistinguishable from an actual child, and image created, adapted, modified, but appears to depict a child. A new section 15 has also been introduced, which proposes penalties for storage and possession of pornographic material involving children. Although the bill succeeded in garnering support from across the political spectrum, but few MPs criticised the bill for overtly emphasising on punishing the offenders and neglecting the measures to curb sexual assault of children and child pornography.

Further Reading:

  1. PTI, POCSO Amendment Bill, With Death Penalty for Aggravated Sexual Assault, Gets Rajya Sabha Nod, News18 (24 July 2019).
  2. Deepshikha Ghosh, Derek O’Brien shares sex abuse story, Smriti Irani praises his courage,     NDTV (24 July 2019).
  3. FP Staff, RS passes bill amending POCSO Act: A look back at case of Dhananjoy Chatterjee, last murderer-rapist to be hanged in country, Firstpost (25 July 2019).
  4. PTI, Rajya Sabha passes POCSO (Amendment) Bill, 2019, The Hindu (24 July 2019).
  5. Soumyarendra Barik, POCSO Amendment Bill expands child porn definition to ‘any visual depiction of sexually explicit content involving children, Medianama (26 July 2019).

Committee recommends Ban on Private Cryptocurrencies in India

The Indian cryptocurrency market received a major jolt on 22nd July 2019, with the Inter-Ministerial Committee set up under the Chairmanship of Economic Affairs Secretary Subhash Chandra Garg recommending a ban on the use of such cryptocurrencies in India. Set up to look into the legality of cryptocurrencies and blockchain technology, the Committee submitted that private currencies should be completely banned in India, and drafted the Banning of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019 which mandates a fine and imprisonment of up to 10 years for offences involving the use of such currencies. However, the Committee approved of the advantages of the underlying blockchain technology and floated the idea of an official RBI-backed cryptocurrency in the future, perhaps suggesting that the future of cryptocurrencies is yet to be resolved.

Further Reading:

  1. Asit Ranjan Mishra, Panel favours cryptocurrency ban in India, Livemint (22 July 2019).
  2. Mike Orcutt, India might ban cryptocurrency and give its users jail time, MIT Technology Review (25 July 2019).
  3. Amol Agrawal, Private crypto ban: Has India gone overboard?, Moneycontrol (23 July 2019).
  4. Vikash Kumar Bairagi, Proposed Ban on Cryptocurrency In India: An Analysis Of ‘Banning Of Cryptocurrency & Regulation Of Official Digital Currency Bill, Livelaw (28 July 2019).
  5. Suprita Anupam, The Aftermath Of India’s Cryptocurrency Ban: Start-ups, Investors Poke Holes In Govt’s Plan, Inc42 (23 July 2019).

Byte dance to invest USD 1 Billion in India over the next three years

Proclaimed to be among the most valuable start-ups in the world, ByteDance plans to invest USD 1 Billion in India over the next three years. ByteDance is the parent company of TikTok, a Chinese video making app which allows users to create and share videos online. On July 17th 2019, the cyber e-security arm of the Ministry of Electronics and Information Technology sent a notice to TikTok and Helo raising issues related to anti-Indian activities. They were given an ultimatum to respond by July 22nd or face severe consequences. Previously, they had also faced a one week ban in April 2019. Despite all these encumbrances, ByteDance has a promising plan for India. It plans on investing USD 1 billion over the next three years. They would also be increasing the number of employees in India to 1000 by the end of this year. ByteDance implemented several regulatory and safety measures in order to comply with the cultural and political ideologies of the country.

Further Reading:

  1. Ananya Chaturvedi, TikTok and Helo promise to collaborate after India threatens ban, Quartz India, (18 July 2019).
  2. Aditi Agrawal, Byte Dance to open a data centre in India, Medianama, (22 July 2019).
  3. PTI, TickTocks parent Byte-Dance plans USD 1 Billion investment in India in next 3 years, The Economic Times, (19 April, 2019).
  4. IANS, How TickTock made Modi popular among young voters, The Economic Times, (25 May 2019).
  5. PTI, TikTok’s parent ‘very optimistic’ on India, to invest $1-bn in next 3 yrs, Business Standard, (19 April 2019).

Read more

Metadata by TLF: Issue 1

Posted on by Tech Law Forum NALSAR

Welcome to our fortnightly newsletter, where our editors put together handpicked stories from the world of tech law! You can find other issues here.

SC Decides Not to Intervene in Delhi Govt.’s School CCTV Plan

On 6 July 2019, Delhi CM launched a mission to install CCTV cameras in all government schools in Delhi by November. The decision was challenged through a petition filed by an NLU student before the Supreme Court. In the latest development, the Supreme Court has refused to stay the Delhi govt’s plan to install CCTV cameras in school classrooms, which includes a plan to live stream the feed to parents of students. A Bench headed by Ranjan Gogoi did not entertain the plea that this move violated the right to privacy, despite the government making no moves to gain the approval of either the students or parents for the same. This decision is surprising given the recognition of the right to privacy as a fundamental right by a nine-judge bench of the Supreme Court in Justice KS Puttaswamy v. Union of India.

Further reading:

Google Employees Admit to Eavesdropping using Google Assistant

In a chilling development, Belgian outlet VRT News has discovered that Google employees systematically listen to audio files recorded by the Google Home smart speakers and the Google Assistant app. Google later conceded that 0.2% of all audio snippets it records are reviewed, to improve their search engine. The App automatically begins recording audio when prompted by a wake-up word or phrase like “Ok, Google”. It even listens to private conversations that are not meant to be recorded. This development comes in the wake of reports that surfaced a few months ago about thousands of Amazon employees around the world listening to audio recorded by Alexa-powered Amazon Echo; this is done to improve Alexa’s voice recognition ability. Google Home’s privacy policy page does not explicitly state that human intervention is used to listen to audio clips. Neither Google nor Amazon’s privacy policies state that they may eavesdrop on personal conversations inadvertently.

Further reading:

Facebook’s draws President Trump’s ire over new cryptocurrency project ‘Libra’

Facebook is no stranger to controversy given the sheer number of data protection issues that have dogged the company in recent years, but the company’s push to join the cryptocurrency race may have earned them the wrath of the most powerful foe of all – US President Donald Trump. The President called out the social media network’s attempts to build a new currency by stating that the USA had just “one real currency”, and further stating that Facebook needed to submit itself to increased oversight of its banking and data protection efforts. This comes as a fresh blow to the company that unveiled their Libra cryptocurrency to widespread doubt and scepticism among those in the bitcoin sector, with many fearing that it represented yet another effort by the company to snoop and collect data on its users and associates. Libra is the name of Facebook’s new cryptocurrency, which differs from other decentralised currencies by virtue of being backed by a reserve of real assets.

Further reading:

Uber to make meal drops via Drones this summer in San Diego

Uber recently announced that Uber Elevate- the aerial arm of the ride share service uber, would start a fast food delivery service by utilising drones this summer. It is supposed to be launched in San Diego.They have been working in close collaboration with Federal Aviation Administration (FAA) to ensure that they are sticking to all regulations. McDonalds being one of the partners has been working on technology to keep the food fresh and hot during the aerial delivery. The food would land on specially designed landing zones and not in residential apartments. An uber courier would then hand deliver the package to the customer.

Before kickstarting this venture Uber is considering several factors which would impact its operation.Firstly, the special landing zone faces the problem of thefts. Even though the technology has been developed to address these issues, the costs involved inevitably increases. Further, there are several restrictions on the use of drones over densely populated areas. As a result, Uber would not be able to expand its reach. However, Uber considers these drones as a gateway into the rural areas where it is difficult to manually deliver products.It also states that in many places this venture would effectively save time on delivery of fast food.

Further reading:

IIT-M professor suggests simple solution to combat fake news on WhatsApp

While the Central government and messaging service WhatsApp are at loggerheads on making messages traceable to combat fake news, V Kamakoti, a Professor at the Department of Computer Science and Engineering, IIT Madras and a member of the National Security Advisory Board (NSAB) under the Prime Minister’s Office (PMO), has come out with the suggestion that the contact number of the originator of a WhatsApp message should tail it when forwarded.

“When somebody creates a message and when WhatsApp encrypt and send the message, along with it, add the author’s phone number as part of the message. It will go whenever the message is forwarded and at any point of time when I read a message, I know who the author is. It cannot be edited, considering it is encrypted. It can be edited only if you copy the content and send it, and then it becomes your own responsibility,” said Kamakoti. This simple solution will also cater to the worries of WhatsApp regarding breaching its privacy policy. There is no need for WhatsApp to breach its privacy policy.

Further reading:

Thailand Passes New Cyber Martial Law

Thailand has passed a cybersecurity act that gives overarching powers to state cyber agencies which has recently become effective. The Act provides that depending upon the severity of cybersecurity threats, people will have to provide access to their data or computer systems, allow the government to monitor their systems or allow officials to test the operation of a computer system and freeze equipment. It also creates a National Cybersecurity Committee that will be able to seize computers and data without a court warrant in cases of a ‘severe cyber threat’. Further, organisations that are classified as Critical Information Infrastructure Organisations (CII Organisations) have additional compliance obligations. The new laws have caused concerns since they may be used to further consolidate the power of the government and crack-down against any opposition through claims of ‘national security’. It may also drive businesses out of the country through the complex compliance burdens. Civil liberties groups believe that any threat to the government will be considered an emergency, allowing them to view and control the majority of the public’s data. Meanwhile, the government has maintained that the act is merely a tool for law enforcement and regulatory control. The new law is part of the pattern of restrictive laws being passed in Southeast Asia, including in Vietnam and Malaysia.

Further Reading:

France bans ‘Judicial Analytics’

France has banned the publication of statistical information about judges’ decisions and shocked the legal industry. “The identity data of magistrates and members of the judiciary cannot be reused with the purpose or effect of evaluating, analysing, comparing or predicting their actual or alleged professional practices,” the law states, and makes it punishable by a maximum five-year prison sentence. The French legislature is trying to turn off the use of A.I. and machine learning to understand or predict judicial behaviour.

In recent years, A.I. has made extraordinary inroads into the practice of law. Recent efforts to digitize legal texts, from federal regulations to courtroom transcripts, have created a nascent global industry in legal analytics. The use of technology to analyse case-law and scrutinize decisions has penetrated deep in both academia and private practice. France banning the use of public information to “assess, analyse, compare or predict” how judges make decisions, will result in less information about how their judicial system works, and people will have access to fewer tools to help them.

Further reading:

Read more