Category: Surveillance

Metadata by TLF: Issue 15 (1st July to 15th July)

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our reporters Kruttika Lokesh and Dhananjay Dhonchak put together handpicked stories from the world of tech law! You can find other issues here.

PIL filed seeking identities of content moderation officers

Former RSS ideologue K N Govindacharya filed a public-interest litigation in the High Court of Delhi to prompt Google, Twitter and Facebook to disclose identities of designated content moderation officers on the basis of the Information Technology Rules. In response, Google submitted that the officers worked with government authorities to remove illegal content. Govindacharya claimed that without disclosure of the officers’ identities, no mechanisms to enforce obligations could not be adequately instituted. However, Google responded by stating that revealing the identities of officers would jeopardize their capacity to work efficiently with the government, as they would be exposed to public scrutiny and criticism.

Read more

India’s 5G Trial: The Case for Huawei’s Exclusion

Posted on by Tech Law Forum @ NALSAR

[This post has been authored by Sarthak Gupta of the Institute of Law, Nirma University.]

5G is the next big change awaiting mankind. It is not just an incremental change but rather represents a paradigm shift in technology. Among other things, it is going to have a huge impact on the national and economic security of countries. As a result, a safe and reliable framework for the development of 5G technology is very much critical for a nation’s ability to preserve its sovereignty.

Read more

The TLF Newsletter: Issue 7

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Israel spyware ‘Pegasus’ used to snoop on Indian activists, journalists, lawyers

In a startling revelation, Facebook owned messaging app WhatsApp revealed that a spyware known as ‘Pegasus’ has been used to target and surveil Indian activists and journalists. The revelation came to light after WhatsApp filed a lawsuit against the Israeli NSO Group, accusing it of using servers located in the US and elsewhere to send malware to approximately 1400 mobile phones and devices. On its part, the NSO group has consistently claimed that it sells its software only to government agencies, and that it is not used to target particular subjects. The Indian government sought a detailed reply from WhatsApp but has expressed dissatisfaction with the response received, with the Ministry of Electronics and Information Technology stating that the reply has “certain gaps” which need to be further investigated.

Further reading:

  1. Sukanya Shantha, Indian Activists, Lawyers Were ‘Targeted’ Using Israeli Spyware Pegasus, The Wire (31 October 2019).
  2. Seema Chishti, WhatsApp confirms: Israeli spyware was used to snoop on Indian journalists, activists, The Indian Express (1 November 2019).
  3. Aditi Agrawal, Home Ministry gives no information to RTI asking if it bought Pegasus spyware, Medianama (1 November 2019).
  4. Shruti Dhapola, Explained: What is Israeli spyware Pegasus, which carried out surveillance via WhatsApp?, The Indian Express (2 November 2019).
  5. Akshita Saxena, Pegasus Surveillance: All You Want To Know About The Whatsapp Suit In US Against Israeli Spy Firm [Read Complaint], LiveLaw (12 November 2019).

RBI raises concerns over WhatsApp Pay

Adding to the WhatsApp’s woes in India, just after the Israeli spyware Pegasus hacking incident, The RBI has asked the National Payments Corporation of India (NPCI) not to permit WhatsApp to go ahead with the full rollout of its payment service WhatsApp Pay. The central bank has expressed concerns over WhatsApp’s non-compliance with data processing regulations, as current regulations allow for data processing outside India on the condition that it returns to servers located in the country without copies being left on foreign servers.

Further Reading:

  1. Karan Choudhury & Neha Alawadhi, WhatsApp Pay clearance: RBI raises concerns data localisation concerns with NPCI, Business Standard (7 November 2019).
  2. Aditi Agarwal, ‘No payment services on WhatsApp without data localisation’, RBI to SC, Medianama (9 October 2019).
  3. Sujata Sangwan, WhatsApp can’t start payments business in India, YOURSTORY (9 November, 2019).
  4. Yatti Soni, WhatsApp Payments India Launch May Get Delayed Over Data Localisation Concerns, Inc42 (9 October 2019).
  5. Priyanka Pani, Bleak future for messaging app WhatsApp’s payment future in India, IBS Intelligence (9 November 2019).

Kenya passes new Data Protection Law

The Kenyan President, Uhuru Kenyatta recently approved a new data protection law in conformity with the standards set by the European Union. The new bill was legislated after it was found that existing data protection laws were not at par with the growing investments from foreign firms such as Safaricom and Amazon. There was growing concern that tech giants such as Facebook and Google would be able to collect and utilise data across the African subcontinent without any restrictions and consequently violate the privacy of citizens. The new law has specific restrictions on the manner in which personally identifiable data can be handled by the government, companies and individuals, and punishment for violations can to penalties of three million shillings or levying of prison sentences.

Further reading:

  1. Duncan Miriri, Kenya Passes Data Protection Law Crucial for Tech Investments, Reuters (8 November 2019).
  2. Yomi Kazeem, Kenya’s Stepping Up Its Citizens’ Digital Security with a New EU-Inspired Data Protection Law, Quartz Africa (12 November 2019).
  3. Kenn Abuya, The Data Protection Bill 2019 is Now Law. Here is What that Means for Kenyans, Techweez (8 November 2019).
  4. Kenya Adds New Data Regulations to Encourage Foreign Tech Entrants, Pymnts (10 November 2019).

Google gains access to healthcare data of millions through ‘Project Nightingale’

Google has been found to have gained access data to the healthcare data of millions through its partnership with healthcare firm Ascension. The venture, named ‘Project Nightingale’ allows Google to access health records, names and addresses without informing patients, in addition to other sensitive data such as lab results, diagnoses and records of hospitalisation. Neither doctors nor patients need to be told that Google an access the information, though the company has defended itself by stating that the deal amounts to “standard practice”. The firm has also stated that it does not link patient data with its own data repositories, however this has not stopped individuals and rights groups from raising privacy concerns.

Further reading:

  1. Trisha Jalan, Google’s Project Nightingale collects millions of Americans health records, Medianama (12 November 2019).
  2. Ed Pilkington, Google’s secret cache of medical data includes names and full details of millions – whistleblower, The Guardian (12 November 2019).
  3. James Vincent, The problem with Google’s health care ambitions is that no one knows where they end, The Verge (12 November 2019).
  4. Rop Copeland & Sarah E. needlemen, Google’s ‘Project Nightingale’ Triggers Federal Inquiry, Wall Street Journal (12 November 2019).

Law professor files first ever lawsuit against facial recognition in China

Law professor Guo Bing sued the Hangzhou Safari Park after it suddenly made facial recognition registration a mandatory requirement for visitor entrance. The park had previously used fingerprint recognition to allow entry, however it switched to facial recognition as part of the Chinese government’s aggressive rollout of the system meant to boost security and enhance consumer convenience. While it has been speculated that the lawsuit might be dismissed if pursued, it has stirred conversations among citizens over privacy and surveillance issues which it is hoped will result in reform of existing internet laws in the nation.

Further reading:

  1. Xue Yujie, Chinese Professor Files Landmark Suit Against Facial Recognition, Sixth Tone (4 November 2019).
  2. Michael Standaert, China wildlife park sued for forcing visitors to submit to facial recognition scan, The Guardian (4 November 2019).
  3. Kerry Allen, China facial recognition: Law professor sues wildlife park, BBC (8 November 2019).
  4. Rita Liao, China Roundup: facial recognition lawsuit and cashless payments for foreigners, TechCrunch (10 November 2019).

Twitter to ban all political advertising

Twitter has taken the decision to ban all political advertising, in a move that increases pressure on Facebook over its controversial stance to allow politicians to advertise false statements. The policy was announced via CEO Jack Dorsey’s account on Wednesday, and will apply to all ads relating to elections and associated political issues. However, the move may only to prove to have symbolic impact, as political ads on Twitter are just a fraction of those on Facebook in terms of reach and impact.

Further reading:

  1. Julie Wong, Twitter to ban all political advertising, raising pressure on Facebook, The Guardian (30 October 2019).
  2. Makena Kelly, Twitter will ban all political advertising starting in November, The Verge (30 October 2019).
  3. Amol Rajan, Twitter to ban all political advertising, BBC (31 October 2019).
  4. Alex Kantrowitz, Twitter Is Banning Political Ads. But It Will Allow Those That Don’t Mention Candidates Or Bills., BuzzFeed News (11 November 2019).

Read more

The TLF Newsletter: Issue 4

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Facebook approaches SC in ‘Social Media-Aadhaar linking case’

In 2018, Anthony Clement Rubin and Janani Krishnamurthy filed PILs before the Madras High Court, seeking a writ of Mandamus to “declare the linking of Aadhaar of any one of the Government authorized identity proof as mandatory for the purpose of authentication while obtaining any email or user account.” The main concern of the petitioners was traceability of social media users, which would be facilitated by linking their social media accounts with a government identity proof; this in turn could help combat cybercrime. The case was heard by a division bench of the Madras HC, and the scope was expanded to include curbing of cybercrime with the help of online intermediaries. In June 2019, the Internet Freedom Foundation became an intervener in the case to provide expertise in the areas of technology, policy, law and privacy. Notably, Madras HC dismissed the prayer asking for linkage of social media and Aadhaar, stating that it violated the SC judgement on Aadhaar which held that Aadhaar is to be used only for social welfare schemes. 

Facebook later filed a petition before the SC to transfer the case to the Supreme Court. Currently, the hearing before the SC has been deferred to 13 September 2019 and the proceedings at the Madras HC will continue. Multiple news sources reported that the TN government, represented by the Attorney General of India K.K. Venugopal, argued for linking social media accounts and Aadhaar before the SC. However, Medianama has reported that the same is not being considered at the moment and the Madras HC has categorically denied it.

Further Reading:

  1. Aditi Agrawal, SC on Facebook transfer petition: Madras HC hearing to go on, next hearing on September 13, Medianama (21 August 2019).
  2. Nikhil Pahwa, Against Facebook-Aadhaar Linking, Medianama (23 August 2019).
  3. Aditi Agrawal, Madras HC: Internet Freedom Foundation to act as an intervener in Whatsapp traceability case, Medianama (28 June 2019).
  4. Aditi Agrawal, Kamakoti’s proposals will erode user privacy, says IIT Bombay expert in IFF submission, Medianama (27 August 2019).
  5. Prabhati Nayak Mishra, TN Government Bats for Aadhaar-Social Media Linking; SC Issues Notice in Facebook Transfer Petition, LiveLaw (20 August 2019).
  6. Asheeta Regidi, Aadhaar-social media account linking could result in creation of a surveillance state, deprive fundamental right to privacy, Firstpost (21 August 2019).

Bangladesh bans Mobile Phones in Rohingya camps

Adding to the chaos and despair for the Rohingyas, the Bangladeshi government banned the use of mobile phones and also restricted mobile phone companies from providing service in the region. The companies have been given a week to comply with these new rules. The reason cited for this ban was that refugees were misusing their cell phones for criminal activities. The situation in the region has worsened over the past two years and the extreme violation of Human Rights is termed to be reaching the point of Genocide according to UN officials. This ban on mobile phones, would further worsen the situation in Rohingya by increasing their detachment with the rest of the world, thus making their lives at the refugee camp even more arduous.

Further Reading:

  1. Nishta Vishwakarma, Bangladesh bans mobile phones services in Rohingya camps, Medianama (4 September 2019).
  2. Karen McVeigh, Bangladesh imposes mobile phone blackout in Rohingya refugee camp, The Guardian (5 September 2019).
  3. News agencies, Bangladesh bans mobile phone access in Rohingya camps, Aljazeera (3 September 2019).
  4. Ivy Kaplan, How Smartphones and Social Media have Revolutionised Refugee Migration, The Globe Post (19 October 2018).
  5. Abdul Aziz, What is behind the rising chaos in Rohingya camps, Dhakka Tribune (24 March 2019).

YouTube to pay 170 million penalty for collecting the data of children without their consent

Alphabet Inc.’s Google and YouTube will be paying a $170 million penalty to the Federal Trade Commission. It will be paid to settle allegations that YouTube collected the personal information of children by tracking their cookies and earning millions through targeted advertisements without parental consent. The FTC Chairman, Joe Simons, condemned the company for publicizing its popularity with children to potential advertisers, while blatantly violating the Children’s Online Privacy Protection Act. The company has claimed to advertisers, that it does not comply with any child privacy laws since it doesn’t have any users under the age of 13. Additionally, the settlement mandates that YouTube will have to create policies to identify content that is aimed at children and notify creators and channel owners of their obligations to collect consent from their parents. In addition, YouTube has already announced that it will be launching YouTube Kids soon which will not have targeted advertising and will have only child-friendly content. Several prominent Democrats in the FTC have criticized the settlement, despite it being the largest fine on a child privacy case so far, since the penalty is seen as a pittance in contrast to Google’s overall revenue.

Further Reading:

  1. Avie Schenider, Google, YouTube To Pay $170 Million Penalty Over Collecting Kids’ Personal Info, NPR (4 September 2019).
  2. Diane Bartz, Google’s YouTube To Pay $170 Million Penalty for Collecting Data on Kids, Reuters (4 September 2019).
  3. Natasha Singer and Kate Conger, Google Is Fined $170 Million for Violating Children’s Privacy on YouTube, New York Times (4 September 2019).
  4. Peter Kafka, The US Government Isn’t Ready to Regulate The Internet. Today’s Google Fine Shows Why, Vox (4 September 2019).

Facebook Data Leak of Over 419 Million Users

Recently, researcher Sanyam Jain located online unsecured servers that contained phone numbers for over 419 million Facebook users, including users from US, UK and Vietnam. In some cases, they were able to identify the user’s real name, gender and country. The database was completely unsecured and could be accessed by anybody. The leak increases the possibility of sim-swapping or spam call attacks for the users whose data has been leaked. The leak has happened despite Facebook’s statement in April that it would be more dedicated towards the privacy of its users and restrict access to data to prevent data scraping. Facebook has attempted to downplay the effects of the leak by claiming that the actual leak is only 210 million, since there are multiple duplicates in the data that was leaked, however Zack Whittaker, Security Editor at TechCrunch has highlighted that there is little evidence of such duplication. The data appears to be old since recently the company has changed its policy such that it users can no longer search for phone numbers. Facebook has claimed that there appears to be no actual evidence that there was a serious breach of user privacy.

Further Reading:

  1. Zack Whittaker, A huge database of Facebook users’ phone numbers found online, TechCrunch (5 September 2019).
  2. Davey Winder, Unsecured Facebook Server Leaks Data Of 419 Million Users, Forbes (5 September 2019).
  3. Napier Lopez, Facebook leak contained phone numbers for 419 million users, The Next Web (5 September 2019).
  4. Kris Holt, Facebook’s latest leak includes data on millions of users, The End Gadget (5 September 2019).

Mozilla Firefox 69 is here to protect your data

Addressing the growing data protection concerns Mozilla Firefox will now block third party tracking cookies and crypto miners by its Enhanced Tracking Protection feature. To avail this feature users will have to update to Firefox 69, which enforces stronger security and privacy options by default. Browser’s ‘Enhanced Tracking Protection’ will now remain turned on by default as part of the standard setting, however users will have the option to turn off the feature for particular websites. Mozilla claims that this update will not only restrict companies from forming a user profile by tracking browsing behaviour but will also enhance the performance, User Interface and battery life of the systems running on Windows 10/mac OS.

Further Readings

  1. Jessica Davies, What Firefox’s anti-tracking update signals about wider pivot to privacy trend, Digiday (5 September 2019).
  2. Jim Salter, Firefox is stepping up its blocking game, ArsTechnica (9 June 2019).
  3. Ankush Das, Great News! Firefox 69 Blocks Third Party Cookies, Autoplay Videos & Cryptominers by Default, It’s Foss (5 September 2019).
  4. Sean Hollister, Firefox’s latest version blocks third-party trackers by default for everyone, The Verge (3 September 2019).
  5. Shreya Ganguly, Firefox will now block third-party tracking cookies and cryptomining by default for all users, Medianama (4 September 2019).

Delhi Airport T3 terminal to use ‘Facial Recognition’ technology on a trial basis

Delhi airport would be starting a three-month trial of the facial recognition system in its T3 terminal. This system is called the Biometric Enabled Seamless Travel experience (BEST). With this technology, passenger’s entry would be automatically registered at various points such as check-in, security etc. Portuguese company- toolbox has provided the technical and software support for this technology. Even though this system is voluntary in the trial run the pertinent question of whether it will remain voluntary after it is officially incorporated is still to be answered. If the trial run is successful, it will be officially incorporated.

Further Reading:

  1. Soumyarendra Barik, Facial Recognition tech to debut at Delhi airport’s T3 terminal; on ‘trial basis’ for next three months, Medianama (6 September 2019).
  2. PTI, Delhi airport to start trial run of facial recognition system at T3 from Friday, livemint (5 September 2019).
  3. Times Travel Editor, Delhi International Airport installs facial recognition system for a 3 month trial, times travel (6 September 2019).
  4. Renée Lynn Midrack, What is Facial Recognition, lifewire (10 July 2019).
  5. Geoffrey A. Fowler, Don’t smile for surveillance: Why airport face scans are a privacy trap, The Washington Post (10 June 2019).

UK Court approves use of facial recognition systems by South Wales Police

In one of the first cases of its kind a British court ruled that police use of live facial recognition systems is legal and does not violate privacy and human rights. The case, brought by Cardiff resident Ed Bridges, alleged that his right to privacy had been violated by the system which he claimed had recorded him at least twice without permission, and the suit was filed to hold the use of the system as being violative of human rights including the right to privacy. The court arrived at its decision after finding that “sufficient legal controls” were in place to prevent improper use of the technology, including the deletion of data unless it concerned a person identified from the watch list.

Further Reading:

  1. Adam Satariano, Police Use of Facial Recognition Is Accepted by British Court, New York Times (4 September 2019).
  2. Owen Bowcott, Police use of facial recognition is legal, Cardiff high court rules, The Guardian (4 September 2019).
  3. Lizzie Dearden, Police used facial recognition technology lawfully, High Court rules in landmark challenge, The Independent (4 September 2019).
  4. Donna Lu, UK court backs police use of face recognition, but fight isn’t over, New Scientist (4 September 2019).

Read more

Article 13 of the EU Copyright Directive: A license to gag freedom of expression globally?

Posted on by Tech Law Forum @ NALSAR

The following post has been authored by Bhavik Shukla, a fifth year student at National Law Institute University (NLIU) Bhopal. He is deeply interested in Intellectual Property Rights (IPR) law and Technology law. In this post, he examines the potential chilling effect of the EU Copyright Directive.

 

Freedom of speech and expression is the bellwether of the European Union (“EU”) Member States; so much so that its censorship will be the death of the most coveted human right. Europe possesses the strongest and the most institutionally developed structure of freedom of expression through the European Convention on Human Rights (“ECHR”). In 1976, the ECHR had observed in Handyside v. United Kingdom that a “democratic society” could not exist without pluralism, tolerance and broadmindedness. However, the recently adopted EU Copyright Directive in the Digital Single Market (“Copyright Directive”) seeks to alter this fundamental postulate of the European society by introducing Article 13 to the fore. Through this post, I intend to deal with the contentious aspect of Article 13 of the Copyright Directive, limited merely to its chilling impact on the freedom of expression. Subsequently, I shall elaborate on how the Copyright Directive possesses the ability to affect censorship globally.

Collateral censorship: Panacea for internet-related issues in the EU

The adoption of Article 13 of the Copyright Directive hints towards the EU’s implementation of a collateral censorship-based model. Collateral censorship occurs when a state holds one private party, “A” liable for the speech of another private party, “B”. The problem with such model is that it vests the power to censor content primarily in a private party, namely “A” in this case. The implementation of this model is known to have an adverse effect on the freedom of speech, and the adoption of the Copyright Directive has contributed towards producing such an effect.

The Copyright Directive envisages a new concept of online content sharing service providers (“service providers”), which refers to a “provider… whose main purpose is to store and give access to the public to significant amount of protected subject-matter uploaded by its users…” Article 13(1) of the Copyright Directive states that such service providers shall perform an act of “communication to the public” as per the provisions of the Infosoc Directive. Further, Article 13(2a) provides that service providers shall ensure that “unauthorized protected works” shall not be made available. However, this Article also places service providers under an obligation to provide access to “non-infringing works” or “other protected subject matter”, including those covered by exceptions or limitations to copyright. The Copyright Directive’s scheme of collateral censorship is evident from the functions entrusted to the service providers, wherein they are expected to purge their networks and websites of unauthorized content transmitted or uploaded by third parties. A failure to do so would expose service providers to liability for infringement of the content owner’s right to communication to the public, as provided in the Infosoc Directive.

The implementation of a collateral censorship model will serve as a conduit to crackdown on the freedom of expression. The reason for the same emanates from the existence of certain content which necessarily falls within the grey area between legality and illegality. Stellar examples of this content are memes and parodies. It is primarily in respect of such content that the problems related to censorship may arise. To bolster this argument, consider Facebook, the social media website which boasts 1.49 billion daily active users. As per an official report in 2013, users were uploading 350 million photos a day, the number has risen exponentially today. When intermediaries like Facebook are faced with implementation of the Copyright Directive, it will necessarily require them to employ automated detecting mechanisms for flagging or detecting infringing material, due to the sheer volume of data being uploaded or transmitted. The accuracy of such software in detecting infringing content has been the major point of contention towards its implementation. Even though content like memes and parodies may be flagged as infringing by such software, automated blocking of content is prohibited under Article 13(3) of the Copyright Directive. This brings up the question of human review of such purportedly infringing content. In this regard, first, it is impossible for any human agency to review large tracts of data even after filtration by an automatic system. Second, in case such content is successfully reviewed somehow, a human agent may not be able to correctly decide the nature of such content with respect to its legality.

This scenario shall compel the service providers to resort to taking down the scapegoats of content, memes and parodies, which may even remotely expose them to liability. Such actions of the service providers will certainly censor freedom of expression. Another problem arising from this framework is that of adversely affecting net neutrality. Entrusting service providers with blocking access to content may lead to indiscriminate blocking of certain type of content.

Though the Copyright Directive provides certain safeguards in this regard, they are latent and ineffective. For example, consider access to a “complaints and redress mechanism” provided by Article 13(2b) of the Copyright Directive. This mechanism offers a latent recourse after the actual takedown or blocking of access to certain content. This is problematic because the users are either oblivious to/ unaware of such mechanisms being in place, do not have the requisite time and resources to prove the legality of content or are just fed up of such repeated takedowns. An easy way to understand these concerns is through YouTube’s current unjustified takedown of content, which puts the content owners under the same burdens as expressed above. Regardless of the reason for inaction by the content owners, censorship is the effect.

The EU Copyright Directive’s tryst with the world

John Perry Barlow had stated in his Declaration of the Independence of Cyberspace that “Cyberspace does not lie within your borders”. This statement is true to a large extent. Cyberspace and the internet does not lie in any country’s border, rather its existence is cross-border. Does this mean that the law in the EU affects the content we view in India? It certainly does!

The General Data Protection Regulation (“GDPR”) applies to countries beyond the EU. The global effect of the Copyright Directive is similar, as service providers do not distinguish European services from those of the rest of the world. It only makes sense for the websites in this situation to adopt a mechanism which applies unconditionally to each user regardless of his/ her location. This is the same line of reasoning which was adopted by service providers in order to review user and privacy policies in every country on the introduction of the GDPR. Thus, the adoption of these stringent norms by service providers in all countries alike due to the omnipresence of internet-based applications may lead to a global censorship motivated by European norms.

The UN Special Rapporteur had envisaged that Article 13 would have a chilling effect on the freedom of expression globally. Subsequent to the Directive’s adoption, the Polish government protested against its applicability before the CJEU on the ground that it would lead to unwarranted censorship. Such action is likely to be followed by dissenters of the Copyright Directive, namely Italy, Finland, Luxembourg and the Netherlands. In light of this fierce united front, hope hinges on these countries to prevent the implementation of censoring laws across the world.

Read more

Automated Facial Recognition System and The Right To Privacy: A Potential Mismatch

Posted on by Tech Law Forum @ NALSAR

This post has been authored by Ritwik Sharma, a graduate of Amity Law School, Delhi and a practicing Advocate. In a quick read, he brings out the threat to privacy posed by the proposed Automated Facial Recognition System.

 

On 28th June 2019, the National Crime Records Bureau (NCRB) released a Request for Proposal for an Automated Facial Recognition System (AFRS) which is to be used by the police officers in detecting potential criminals and suspects across the country.

The AFRS has potential use in areas like modernising the police force, information gathering, and identification of criminals, suspects, missing persons and personal verification.

In 2018, the Ministry of Civil Aviation launched a facial recognition system to be used for airport entry called “DigiYatra”. The AFRS system is built on similar lines but has a much wider coverage and different purpose. States in India have taken steps to introduce Facial Recognition Systems to detect potential criminals, with Telangana launching its system in August 2018.

What is Automated Facial Recognition System and how does it work?

The Automated Facial Recognition System (AFRS) will be a mobile and web application which will be hosted and managed by the National Crime Records Bureau (NCRB) data centre but will be used by all police stations across the country.

The AFRS works by comparing the image of an unidentified person captured through CCTV footage to the image which has been kept at the data centre of the NCRB. This will allow the data centre to match the images and detect potential criminals and suspects.

The system has the potential to match facial images with changes in facial expressions, angle, lightening, direction, beard, hairstyle, glasses, scars, tattoos and marks.

The NCRB has proposed to integrate AFRS with multiple existing databases: these include the  Crime and Criminal Tracking Network & Systems (CCTNS) which was introduced post Mumbai attacks in 2009 as a nationwide integrated database to criminal incidents by connecting FIR registrations, investigations and chargesheets of police stations and higher offices, the Integrated Criminal Justice System (ICJS) which is a computer network which enables judicial practitioners and agencies to electronically access and share information and Khoya Paya Portal which is a portal used to detect missing children.

State Surveillance vs. Right to Privacy

In September 2017, the Supreme Court in the historic judgment of K.S. Puttaswamy vs. Union of India declared the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The Supreme Court asserted that the government must cautiously balance individual privacy and the legitimate concerns of the state, even if national security is at stake. The Court also asserted that any invasion of privacy must satisfy the triple test i.e. need (legitimate state concern), proportionality (least invasive manner) and legality (backed by law) to ensure that a fair and reasonable procedure is undertaken without any selective targeting and profiling.

Privacy infringement without legal sanction and through executive action would be violative of the fundamental right to privacy and would disregard the Supreme Court directive. Cyber experts are of the view that such a system could be used as a tool of government abuse and risk the privacy of the citizens and since the country lacks a data protection law, the citizens would become vulnerable to privacy abuse.

Moreover, investigating agencies in the United States like the FBI operate probably the largest facial recognition system in the world. Cyber experts and international institutions have criticised the Chinese government for using surveillance system and facial recognition to keep an eye on the Uighur community in China. However, there have been claims that this system has an accuracy of hardly 2%, which makes it unreliable and cities like London are facing calls to discontinue this system to safeguard the privacy of its citizens.

Finally, such a tracking system impinges upon human dignity by treating every person as a potential criminal or suspect. There are no clear guidelines as to where such cameras are to be placed. The cameras will put every individual under surveillance and even the innocent ones would be tracked. Such surveillance would create fear amongst the citizens which has long term implications.

Conclusion

A rise in the crime rate poses a daunting challenge in front of the investigating agencies and robust measures must be undertaken to counter it. However, such measures should be ably backed by law and should not impinge upon the dignity and the right to privacy of the citizens.

The Data Protection Law drafted by the Justice Srikrishna Committee should be enacted by the Parliament to give legal sanction to such surveillance. Furthermore, the AFRS should be used cautiously to prevent any violation of the fundamental right to privacy.

AFRS system has the potential to bring a paradigm shift in the criminal justice system if its use is well-intentioned and within the democratic framework which ensures right to privacy and limited state surveillance.

Read more

Perils of PUBG Ban in India & the Enemies Ahead

Posted on by Tech Law Forum @ NALSAR

[Ed Note: The following post has been authored by Anirudh Vijay, a fourth year student of B.A. LL.B. (Hons.) at Faculty of Law, Jamia Millia Islamia, New Delhi. In an engaging read, Vijay talks about how the Gujarat government’s decision to ban popular game PUBG is problematic, and provides recommendations in this regard. Read to find out more!]

Introduction

Recently, in the Indian state of Gujarat, several Police Commissioners have issued orders restricting use of the popular game of Player Unknown’s Battleground (“PUBG”) under Section 144 of Code of Criminal Procedure, 1973 (“Cr.P.C.”). In pursuance of the same, 10 youngsters were reportedly arrested for disregarding these orders under Section 188 of Indian Penal Code, 1860 (“IPC). Subsequently, a PIL was filed in the Gujarat High Court by the Internet Freedom Foundation challenging the ban orders & arrests made by Gujarat Police. However, it was dismissed on the ground that the scope of the said petition does not fall under the ambit of “public interest litigation”.

In contrast, another PIL was filed in Bombay High Court by an 11-year old through his father, praying for initiation of PUBG ban, on the grounds that it promotes immoral conduct such as violence, aggression, gaming addiction, cyber-bullying etc. Following this, a Bench of the court directed the Secretary of IT Ministry to review the game and take actions if any ‘objectionable content’ is found in it. The matter is presently pending before the court.

The questions that arise here whether the orders of the Gujarat Police to ban PUBG are arbitrary or not; and whether the arrests made by the police in this regard are illegal or not. The present post shall first address and answer the above questions. This shall be followed by the analysis on the interplay between the judicial and executive process of banning the game. Subsequently, the post will put forth recommendations based on the overall discussion.

Why the Orders on PUBG Are Arbitrary & Unreasonable?

It is S. 37(3) of Gujarat Police Act, 1951 (“GP Act”) and S. 144 of Cr.P.C. that provides power to the Police to issue orders in urgent cases of nuisance or apprehended danger. The English translation of concerned orders states:

“…it comes to our knowledge that due to games like PUBG GAME/MOMO CHALLENGE violent traits are shown to be increased in youth and children. Due to these games, the education of children and youth are being affected and it affects the behaviour, manners, speech and development…”

A perusal of the order shows that the police had issued it without any substantive evidence to prove PUBG provoking violent traits. In fact, the order was issued based on mere knowledge and perception of threat without adequate evidentiary substantiation. This is in complete violation of the Ramlila Maidan Incident, In Re [(2012) 5 SCC 1] case, where the Supreme Court of India held that Section 144 cannot be invoked in case of mere apprehension, without any material facts to indicate that the apprehension is imminent or genuine.

Secondly, orders can be issued under Section 144 if there exists an urgent situation which could result in grave consequences as held in the case of Madhu Limaye v. SDM Monghyr [(1971) AIR SC 2486]. Certainly, playing PUBG does not constitute any urgent or grave consequences and is merely a game for the purpose of entertainment. Moreover, the allegation on PUBG having violent traits to cause grave consequences, was recently rejected by the Nepal Supreme Court on April’19, who stayed the PUBG ban imposed by Nepal’s government.

Lastly, the Police orders have imposed restriction on the right of free speech & expression under Article 19 of our Constitution by banning PUBG, and has thereby disregarded the ‘test of proportionality’, as applied by A.K.Sikri J. in K.S. Puttaswamy v. Union of India [(2019) 1 SCC 1, p. 132]. As per this test, the state can impinge a right (i) if there exists a law for it; (ii) such that the restriction must have a legitimate state aim; (iii) and should not have any disproportionate impacts on the right’s holder. In relation to (i), it is true that the Cr.P.C. contemplates statutory provisions to restrict such rights. However, in the present case, the Police officials have not properly adhered to it while imposing the ban, as has been discussed above. As for (ii), a ‘legitimate’ aim for the state entails making a lawful approach to maintain players’ health and tranquillity. Apparently, the police’s order does not constitute a legitimate aim as it was based on the rationale of controlling moral panic (and not health), and is bad in law. The aim pf “moral panic” is subjective and discretionary as what is moral for one, may not be moral for other. Moreover, in relation to (iii), the arrests of students made by the virtue of the said orders will have disproportionate impacts on them as they were arrested for merely playing a game. These arrests will in harm the students’ reputation at school, college and office, having a deeply negative impact on them. A proportionate approach would be psychological counselling & social support and not criminal prosecution or imprisonment initiated by the ban. Hence, the orders of the Police Commissioners are arbitrary and unreasonable.

Why the Arrests Made by Police are Illegal?

Statutorily, an arrest can be made under Section 188 of IPC for violating Section 144 of Cr.P.C. A person could be arrested only if he disobeys the order duly promulgated by a public servant, and if such disobedience causes, tends to cause, or risks obstruction, annoyance or injury, to any person lawfully employed. However, a mere disobedience of Section 144, without the aforesaid elements, is not a ground for arrest under Section 188 and the same was observed by the court in the case of Ramlila Maidan. Interestingly, Mumbai police used PUBG to promote helmet necessity for riders by sharing an image of a character of the game wearing helmet on their Twitter handle. Such promotion of game by public servants reflects that even the state’s own machinery does not apprehend any ‘obstruction, annoyance or injury’ being caused by playing PUBG. Certainly, the arrest made are illegal as it was done beyond the scope of the concerned provision.

Moreover, in the case of Gulam Abbas v. State of Uttar Pradesh [AIR 1981 SC 2198], the Supreme Court held that the purpose of Section 144 is to provide adequate, reasonable and temporary remedy to ‘emergency cases’ of nuisance or apprehended danger. Similarly, in Acharya Jagdishwarand Avadhuta v. Police Commissioner, Calcutta [AIR 1984 SC 512], the Supreme Court held that the nature of the order under Section 144Cr.P.C. is intended to meet ‘emergent’ situation. In the present case, the Police orders gave reasons that the education of children are being affected through PUBG. This effect on their studies does not constitute any ‘emergent’ situation under which there exist any risk of apprehended danger.

Thus, the ban orders as well as the arrests made by the Gujarat Police are unreasonable, arbitrary, illegal and are exercised beyond the permissible limits of the statutory provisions. If at all, a PUBG ban is found to be required, there is a proper procedure that has been statutorily stipulated to initiate it, as has been explained below:

How to Initiate A Ban On PUBG?

The Information & Technology Act, 2000 (“IT Act”) has set out the complete process of blocking Apps or online games under the Procedure and Safeguards for Blocking for Access of Information by Public Rules, 2009 (‘Rules’). Such blocking can be done either by the officers defined under the IT Act [I] or by any order issued by the court of law [II].

I. By the Executive

Rule 4 states that a “Nodal Officer” should be compulsorily be appointed by the organisation (mainly the state-government) to whom a citizen can submit his/her request for blocking any electronic information. After examining the request, the Nodal Officer transfers the application of request to the “Examination Committee” headed by the “Designated Officer”. As per the Rules, the Designated Officer is appointed by the Central government along with other representatives of Ministry of I&B, Law & Justice and Home Affairs, who are not below the rank of a Joint Secretary. This Committee checks whether the application is in accordance with Section 69A of IT Act or not and in turn submits a recommendation to the Secretary, Dept. of IT though the Designated Officer.

The direction of blocking the information is passed after the approval of the recommendation by the Secretary. This direction should also provide the reasons for blocking the game. A Review Committee, set up by the Central government, further validates this direction by setting up meetings after every 2 months and may set aside the blocking orders (if direction is not in conformity with Section 69A of the IT Act), as prescribed under Rule 14.

II. By the Court

The Rule 10 authorizes the court to block any electronic information and bounds the Designated Officer to implement the same as soon as he receives the copy of that order. Section 79(3)(b) of the IT Act holds intermediaries liable for non-compliance of the court’s order. For example, the Court in 2017 took suo moto cognizance to ban the Blue Whale Game and directed the government & intermediaries like Google Play, Apple Store etc to remove the said game from their domains.

Further, as mentioned above, any such ban must be in conformity with Section 69A of the IT Act, which provides a list of grounds based on which any electronic information may be blocked. This list includes reasons such as security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence. The potentially suitable ground in the PUBG case, namely ‘preventing incitement to the commission of any cognizable offence’ has itself been interpreted as cognizable offence by the Indian courts. Therefore, the court can initiate a ban on the PUBG only after it is proved by the authorities that such game contains content which can led to the commission of any cognizable offence. Similarly, the concerned authorities defined under the Rules, 2009 can impose a ban only if they find the working of the App in contradiction to the Section 69A of the IT Act, 2000. Although Bombay High Court has made an effort to adhere to rules set out under IT Act, 2000 by approaching the Secretary of IT Ministry, yet both Gujarat Police and Gujarat HC have miserably failed to acknowledge the banning procedures under IT Act, 2000. Moreover, the Gujarat Police have processed ban which do not met the requirements of Section 69A of IT Act, 2000.

Recommendations

In view of the above discussion and analysis, the author would like to propose following recommendations:

  1. The Police officials must release all the arrests made by the virtue of the PUBG orders with immediate effect.
  2. The state must ensure that orders under Section 144 of Cr.P.C., which are exercised beyond the excessive limit and infringes the Supreme Court verdicts, should not be passed.
  3. The concerned authorities of the state should first approach the Nodal Officer, in cases where the banning of any digital source is required. The process of such banning should take place only as per the procedures laid down under IT Act, 2000.
  4. The state should resort to Section 144 only in extraordinary situations where there are no other reasonable means of preserving public health and tranquility.
  5. Psychological counselling and social support should be preferred over criminal prosecution and imprisonment as a remedy to counter the intense gaming addiction.

Read more