Employing Blockchain Technology To Systematize Organ Donation in India

Posted on September 27, 2020September 27, 2020 by Tech Law Forum @ NALSAR

[This post has been authored by Sindhu A., a final year student at School of Law, Christ University.]

In terms of organ donation, India is ranked among the lowest globally, with an organ donation rate of a mere 0.86 donors per million. According to a recent study, around 5,00,000 people need organ transplantation every year and 90 percent of the people on the waiting list die without receiving an organ. India was known as the most common source of organ trade and although there was a gradual decline with the enactment of legislations, the illegal underground market persists as a looming threat. The above-mentioned statistics indicate the need for a fundamental change in the way the Indian organ network operates. One of the most efficient ways to remedy this is to appropriate blockchain technology to better manage organ donation and allocation.

Online Dispute Resolution and the Role of Artificial Intelligence: A General Perspective

Posted on August 30, 2020August 30, 2020 by Tech Law Forum @ NALSAR

[This post has been authored by Samarth Srivastava, a 3rd year student at the West Bengal National University of Juridical Sciences.]

Introduction

Metadata by TLF: Issue 13 (1st June to 15th June)

Posted on July 1, 2020July 1, 2020 by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our reporters Kruttika Lokesh and Dhananjay Dhonchak put together handpicked stories from the world of tech law! You can find other issues here.

[Ed Note: This newsletter has been prepared by Dhananjay Dhonchak and Sanchit Khandelwal]

Technology and CPC (Part II)

Posted on February 3, 2020May 27, 2020 by Tech Law Forum @ NALSAR

This is the second part of a two-part article by Ankush Rai, a 3rd year student at NALSAR University of Law. Part 1 can be found here.

E-filing

Technology and CPC (Part I)

Posted on February 3, 2020May 27, 2020 by Tech Law Forum @ NALSAR

[This is the first part of a two-part article by Ankush Rai, a 3rd year student at NALSAR University of Law.]

In a recent case, the Delhi High Court accepted that summons could be served by WhatsApp and also stated that a ‘double tick’ would prima facie imply that summons have been duly delivered. This case serves as an example of how courts in India have gradually allowed for summons to be served through various electronic means. Additionally, this case also brings forth two larger points for consideration. Firstly, law and society are constantly in flux and one should adapt to the changes in the other. In this case, the law has adapted to the technological changes in society with the help of courts. Secondly, technology can be used to fulfil the larger objectives of law and justice in an effective and efficient manner. Herein, sticking to the ancient and rigid means of delivering summons would have further delayed the disposal of the case. By accepting WhatsApp messages as summons the Court fulfilled the larger objective of an efficient and speedy trial.

Protection for non-expressive use in India

Posted on January 13, 2020January 13, 2020 by Tech Law Forum @ NALSAR

This post has been authored by Unmekh Padmabhushan, a final year student of National Law University, Jodhpur.

Machine learning is the process by which a piece of software is able to expand upon its capabilities and knowledge in a self-driven manner without any significant human input. This technology has been used, for example, in disaster warning systems and in driverless cars. Another scholarly use of such technology allows robots to derive patterns and significant correlations from enormous databases of texts in a manner impossible for human beings. This has led to led to an explosion in the ability of those working in the field of the humanities to analyse data like their natural sciences counterparts have done for years. [1]

Welcoming The Era of Technology Friendly Laws in India

Posted on January 2, 2020December 30, 2019 by Tech Law Forum @ NALSAR

This brief introduction to regulation of autonomous vehicles has been authored by Khushi Sharma and Aarushi Kapoor, second year students of Hidayatullah National Law University (HNLU), Raipur.

[Ed. Note: This article was written before the 2019 Personal Data Protection Bill had been made public. Click here for the new Bill.]

Building safe consumer data infrastructure in India: Account Aggregators in the financial sector (Part II)

Posted on December 30, 2019December 30, 2019 by Tech Law Forum @ NALSAR

TLF is proud to bring you a two-part guest post authored by Ms. Malavika Raghavan, Head, Future of Finance Initiative and Ms. Anubhutie Singh, Policy Analyst, Future of Finance Initiative at Dvara Research.

The post is the second part of a two-part series that undertakes an analysis of the technical standards and specifications present across publicly available documents on Account Aggregators. In the previous post, the authors looked at the motivations for building AAs and some consumer protection concerns that emerge in the Indian context.

Account Aggregators (AA) appear to be an exciting new infrastructure, for those who want to enable greater data sharing in the Indian financial sector. The key data being shared will extensive personal information about individuals like us – detailing our most intimate and sensitive financial transactions and potentially non-financial data too. This places individuals at the heart of these technical systems. Should the systems be breached, misused or otherwise exposed to unauthorised access the immediate casualty will be the privacy of the people whose information is compromised. Of course, this will also have an impact on data quality across the financial sector.

It is heartening to note that the AA framework builds in a layer of software to operationalise “consent”, ostensibly to overcome consumer data protection and privacy concerns. As we set out in our previous post, consent is a necessary but not sufficient condition for effective data protection. AAs must have strong data accountability systems and access controls that operate independent of consent, to truly offer Privacy By Design. This will be crucial in engendering trust in this new system.

In this post, we introduce the concept of Privacy by Design (PbD) and use that framework to assess certain technical specifications that have been released for the AA architecture. From our analysis, we attempt to identify whether the PbD principles have been applied to the designing process of the technical architecture of AAs.

Privacy by Design principles for Account Aggregators

Privacy by Design (PbD) is a widely recognised approach that addresses the emerging systemic effects of Information and Communication Technology (ICT)[1]. Ideally, all information infrastructure must be designed in a privacy-protecting manner that does not create trade-offs between the privacy of the individuals and the efficiency of the infrastructure. Principles to enable such technological design are incorporated in the PbD framework (Cavoukian, 2011).

The PbD framework comprises of seven foundational principles that intend to make IT-interacting entities privacy assuring as a default mode of operation. These principles are as follows:

Proactive not Reactive; Preventative not Remedial: Anticipation of privacy invasive events before they occur and taking measures to prevent their occurrence.
Privacy as the Default Setting: Personal data of individuals must be automatically protected even if they take no action to explicitly do so
Privacy Embedded into Design: Privacy protections must be built in to IT systems and should not be treated as add-on of the function being delivered
Full Functionality — Positive-Sum, not Zero-Sum: PbD does not simply involve the making of declarations and commitments but relates to satisfying all legitimate objectives − not only the privacy goals. PbD is doubly enabling in nature, permitting full functionality − real, practical results and beneficial outcomes to be achieved for multiple parties.
End-to-End Security — Full Lifecycle Protection: Privacy of individuals’ personal data must be ensured throughout the lifecycle of data.
Visibility and Transparency — Keep it Open: All individuals and stakeholders involved must have full visibility into the business practices and the technology used for with regards to their data. It must be ensured that their practices are in accordance with the stated objectives.
Respect for User Privacy — Keep it User-Centric: Privacy of the individual must be given utmost importance through strong privacy defaults, appropriate notices and empowering, user-friendly options (Cavoukian, 2011).

While PbD principles are not an authoritative privacy framework within which information systems can be assessed, this framework can be operationalised through several technological practices and techniques to enhance privacy of the information systems.

Assessing the security measures of the Account Aggregator system

In order to assess how AAs fare against the PbD principles, it is necessary to understand the major flows of information within the AA ecosystem. These are between the Financial Information Providers (FIP), AAs, Financial Information Users (FIU) and consumers (users).

Figure 1 and Table 1 below seek to represent the flows that occur systematically between different entities of the AA ecosystem in a simplified form.[2]

This figure shows our representation of three sets of queries and three sets of data flows that are necessary in the AA system. These are summarised in Table 1 (mapping to the corresponding numerals in Figure 1 above).

Table 1: Query flows and data flows in the Account Aggregator ecosystem

Column 1: Query Flows		Column 2: Data Flows
1	FIU queries the AA for FI	4	User provides AA with Consent
2	AA queries the User for Consent	5	FIP transfers information to the AA
3	AA queries the FIP for FI	6	AA transfers information to FIU

In the AA system,

Queries are initiated as shown in Column 1 of the Table (from top to bottom) within the AA ecosystem. A query is a request for data or information that one entity may place to another entity that carries a database. For instance, an FIU queries AA for the desirable FI.
In response to these queries Column 2 (from top to bottom) lists the data flows that occur in response to query flows A1 to C1 respectively. In response to the query flow, the relevant data will be encrypted and flow to the entities identified in the Column 2.

In following section, we identify whether the PbD principles have been applied to the designing process of the technical architecture of the AAs.[3]

Assessing the AA’s Query Flows against PbD Principles

1. Query Flow 1: FIU queries the AA for information (1)

When a customer approaches a new financial institution for a financial product, that financial institution (or FIU) can query the AA for relevant information about such customer. The FIU creates a request for consent, or a query to obtain FI from the consumer2 In this query, the FIU must provide specifications on the required information such as account types, asset types, transaction types etc. and the duration and period in which the FIU will use this FI (NeSL Asset Data Limited, 2018).

The IT measures stipulated for this query flow are that the application programming interface (API)[4] calls between the FIU and AA must take place over a Secure Socket Layer (SSL)[5] (Hypertext Transfer Protocol Secure (HTTPS) is the application layer in this case). Each of these API calls must be digitally signed and encrypted. All internet-facing services (such as the FIU portal provided by the AA) should be placed in demilitarized zone (DMZ)[6] (NeSL Asset Data Limited, 2018).

Purpose specification appears to be a requirement for requesting FI. ReBIT provides Purpose Definitions which include the categories Personal Finance, Financial Reporting and Account Query and Monitoring with further subcategories (ReBIT, n.a.). It can be assumed that the request for consent created by the FIU stipulates the relevant Purpose Definition(s)[7].

In this flow, the privacy and security measures appear to point to the PbD principles of Positive Sum not Zero Sum and End-to-End Security – Full Lifecycle Protection.

2. AA queries the User for Consent (2)

Upon receiving the request for consent from the FIU, the AA performs the function of notifying the user that their information is being queried. The user is notified of the FIU, and the classes of information that this FIU is seeking. The AA provides a user interaction front-end (such as a web portal or a mobile device app) to the user through which they may receive these notifications (ReBIT, 2019; NESL Asset Data Limited, 2018).

The IT security measures for this query flow stipulate that the user be required to log-in to a web portal (provided by the AA) or the mobile app to either accept or reject the request for consent from the AA. This web portal or mobile app should be placed in DMZ and must be firewalled. It is also stipulated that a one-time password (OTP) be used for authentication for giving or revoking consent by the user (NESL Asset Data Limited, 2018).

In this flow, the privacy and security measures appear to point to the PbD principles of Positive Sum not Zero Sum and Visibility and Transparency – Keep it Open.

3. AA queries the FIP for information (3)

If the user approves the request for consent from the AA, a digitally signed artefact is generated and sent to the FIP along with the request for information initiated by the FIU. The FIP may store the consent artefacts to validate against future requests of information with respect to the same user and FIU (ReBIT, 2019; NESL Asset Data Limited, 2018).

It is stipulated that this query flow, and all other internal networks be firewalled (NeSL Asset Data Limited, 2018).

In this flow, the privacy and security measures appear to point to the PbD principle of Positive Sum not Zero Sum.

Assessing Data Flows against PbD Principles

1. User provides AA with Consent (4)

When the user receives the notification from their AA web portal or mobile app, the user may approve or reject such a request. If the user approves the request for consent, the consent artefact thus created is sent to the AA (Reserve Bank of India, 2018).

The IT security measures for this data flow stipulate that all payloads be digitally signed by the requester (in this case, the consent artefact should be digitally signed by the user). The AA client never sees the account of the user or directly participates in consent generation (ReBIT, 2019). All personally identifiable information (PII) (such as account numbers, phone numbers, personal identifiers etc.) present in the User Identifier section of the consent artefact must be tokenised using virtual IDs[8]. The internet-facing services (the AA front-end portal provided by the AA) must be placed in the DMZ (NeSL Asset Data Limited, 2018).

In this flow, the privacy and security measures appear to point to the PbD principles of Positive Sum not Zero Sum, End-to-End Security – Full Lifecycle Protection and Visibility and Transparency – Keep it Open. However, it is difficult to state whether the principle of Respect for User Privacy — Keep it User-Centric given the central importance of consent as a sufficient safeguard for user privacy.

2. FIP transfers information to the AA (5)

Once the AA forwards the consent artefact to the FIP, the FIP validates the same and responds with the information requested for in the consent artefact. When the FIP notifies the AA that the required information is available, the AA pulls the information from the which is stored in its transient store. The required information must be returned in real-time.

The IT security measures for this data flow stipulate that API calls between the AA and the FIP take place over the SSL, the information be transferred only once the consent artefact has been validated and the returned information be in encrypted, digitally signed and be in a machine-readable format. Any information stored in the transient store of the AA must also be encrypted (NeSL Asset Data Limited, 2018).

In this flow, the privacy and security measures appear to point to the PbD principles of Positive Sum not Zero Sum and End-to-End Security – Full Lifecycle Protection.

3. AA transfers information to FIU (6)

After pulling the information from the FIP and storing it in the transient store, the AA notifies that the required information is ready. The FIU fetches this information from the AA.

The IT security measures for this data flow stipulate that the users’ information never be decryptable while in the transient store of the AA. The data-in-transit (FI) must also be encrypted. The AA is required to stipulate a time frame within which the FIU must pull the information from the transient store of the AA. The information may be stored in the AA for a maximum of 72 hours. Finally, it is also required that once the information has been pulled by the FIU, the AA must delete the information from its transient store (NeSL Asset Data Limited, 2018).

In this flow, the privacy and security measures appear to point to the PbD principles of End-to-End Security – Full Lifecycle Protection.

Insights from our assessment of AAs against PbD principles

Our assessment of the AA framework reveals some causes for optimism, and some for concern.

1. Consent as the primary safeguard for user privacy is not enough:

Theoretically, the DEPA framework provides the user with complete control over how their information is used. The users also have the provision to provide, pause and revoke their consent through the web portal or mobile app of the AA.

However, this approach assumes that consent is a sufficient condition to provide user privacy. It also assumes that the user is comprehensively aware of the consequences of the consent they are providing, which is often not the case. Consent is important in providing agency and autonomy of choice to users, but cannot be considered a holistic, user-based privacy manager. The insufficiencies of consent have been discussed in the previous blog of this series.

2. Fulfilment of the PbD principles by the AA ecosystem:

From our analysis, it was observed that some PbD principles appear to be fulfilled, sometimes partially if not completely. PbD principles of Positive Sum not Zero Sum, End-to-End Security – Full Lifecycle Protection and Visibility and Transparency – Keep it Open appear to be accounted for in the architecture of the AAs.

However, other significant principles of Proactive not Reactive; Preventative not Remedial, Privacy as the Default Setting, Privacy Embedded into Design and Respect for User Privacy — Keep it User-Centric do not seem to be fulfilled in this architecture. While there may be aspects in the query and data flows that may point to these principles, on an overarching level, it cannot be said that these principles have been incorporated.

For instance, this is reflected in the fact that there are no technical safeguards to ensure that FIU entities do not misuse the personal data they receive from AAs. This does not incorporate the principle of Proactive not Reactive; Preventive not Remedial. We must ensure that FIUs have sound cyber security practices and codes of conduct before they are integrated in to the AA ecosystem.

Accountability of FIUs and FIPs with respect to the personal data they receive from AAs:

A central issue that these flows force us to ask is: how will data be protected after an FIU receives it from an AA, and it disappears into the FIU’s systems? It appears that the first time that a consumers’ data by AAs it would take place in an ecosystem that is designed in a secure and privacy protecting manner. If the data is then ejected into an FIU with insecure, privacy depleting system it would defeat the entire purpose of secure data sharing infrastructures.

The accountability of FIUs and FIPs with respect to the personal data they receive through the AA system needs clarification. Mere legal threats of enforcement will be insufficient – strong technical solutions to address this risk must be developed to ensure privacy is protected after entities receive information from AAs.

These concerns need to be addressed before full-fleshed public release into the market.

Conclusion: Large data infrastructures for finance in India must consider legal obligations as well as technological safeguards

It appears that most cybersecurity and privacy-protecting practices for large data infrastructures have been proposed for the AA ecosystem (European Union Agency for Network and Information Security, 2015). Practices of external security audits and suspicious transaction pattern monitoring have also been stipulated. However, safeguards on the use of FI after it has been obtained by the FIU, and other such provider obligations cannot be seen. If an FIU were to be considered a data fiduciary[9], it is unclear whether they would be obliged to notify data breaches occurring in their organisation internally. There appear to be no technological safeguards hardwired in to the architecture of the ecosystem that prevents misuse of FI by FIUs and legal obligations on FIUs are deemed to be sufficient.

From our analysis of the AA architecture using the PbD framework, we see that some principles of the framework have been incorporated partially, but there appear to be several disjoint points where user privacy do not take priority. This is especially important to consider given that most Indians would be first-time users of such technology, or even enabling technological infrastructures such as mobile phones or internet. Separately, the draft PDP bill stipulates Privacy by Design as a Transparency and Accountability measure that must be implemented by every data fiduciary.[10]

Data Empowerment and Protection Architecture (DEPA) makes for a commendable first step towards empowering Indians with the control of their personal data, it must be noted that consent independent of appropriate accountability measures for the providers and data fiduciaries. Legal obligations are important for this, but there needs to a strong technological backing in terms of codifying concepts of purpose limitation and collection limitation in order to safeguard consumers and their personal information.

References

Cavoukian, A. (2011). Privacy by Design – The 7 Foundational Principles. Retrieved from Information and Privacy Commissioner of Ontario: https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf

European Union Agency for Network and Information Security. (2015, December). Big Data Security: Good Practices and Recommendations on the Security of Big Data Systems. Retrieved from European Union Agency for Network and Information Security (ENISA) : https://www.enisa.europa.eu/publications/big-data-security/at_download/fullReport

MEITy. (2018). The Personal Data Protection Bill, 2018. Retrieved from Ministry of Electronics and Information Techonology: https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf

NeSL Asset Data Limited. (2018, June 28). Request for Proposal for Selection of Vendor for Design, Development, Installation, Integration, Configuration, Support. Retrieved from National e-Governance Services Limited (NeSL): https://www.nesl.co.in/wp-content/uploads/2018/06/NADL_RFP_26062018-update.pdf

ReBIT. (2019). Account Aggregator API. Retrieved from Swagger: https://swagger-ui.rebit.org.in/?url=https://s3.ap-south-1.amazonaws.com/api-spec-prod/api_specifications/account_aggregator/AA_1_1_1.yaml#/Consent%20Flow/post_Consent

ReBIT. (n.a.). Account Aggregator Purpose Definition. Retrieved from ReBIT: https://api.rebit.org.in/purpose

Reserve Bank of India. (2018, February 23). Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 (Updated as on February 23, 2018). Retrieved from Reserve Bank of India: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10598&Mode=0

Zuppo, C. M. (2012). Defining ICT in a Boundaryless World: The Development of a Working Hierarchy. International Journal of Managing Information Technology (IJMIT), 13-22. Retrieved from https://s3.amazonaws.com/academia.edu.documents/38212933/4312ijmit02.pdf?response-content-disposition=inline%3B%20filename%3DDefining_ICT_in_a_Boundaryless_World_The.pdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWOWYYGZ2Y53UL3A%2F20191211%2Fu

[1] Information and communications technology (ICT) is an extensional term for information technology (IT) that stresses the role of unified communications[1] and the integration of telecommunications (telephone lines and wireless signals) and computers, as well as necessary enterprise software, middleware, storage, and audiovisual systems, that enable users to access, store, transmit, and manipulate information (Zuppo, 2012).

[2] It must be noted that this table is only representative of the use-case of the FIU seeking information of a user from the FIPs that have the information of the user. It does not cover the other proposed functions of AAs such as providing users with consolidated views of their FIs, users seeking their own data from FIPs, allowing users to manage previously given consents etc. (NESL Asset Data Limited, 2018; Reserve Bank of India, 2018).

[3] For this analysis, we refer to the following available documentation: Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 released by the RBI (Reserve Bank of India, 2018), Account Aggregator Key Resources on the Sahamati website and the Request for Proposal (RFP) for Selection of Vendor for Design, Development, Installation, Integration, Configuration, Support & Maintenance of Account Aggregation software by NESL Asset Data Limited (NeSL Asset Data Limited, 2018).

[4] Application Programming Interfaces or APIs are a set of definitions or protocols used for building or integrating different technological platforms to provide convenience in their interaction for services and/or data. For instance, Uber uses the publicly available API of Google Maps on their interface.

[5] Secure Socket Layer, or SSL is a standard protocol used for the secure transmission of documents over a network through authenticated and encrypted links.

[6] Demilitarized zone, or DMZ is a sub-network that provides an additional layer of protection to the local network of a given organisation or system. The DMZ is located behind the firewall and is available to the public, i.e., the public can access resources and services present in the DMZ without being able to penetrate the local network.

[7] Other Purpose Codes include Personal Finance (for wealth management services and obtaining customer spending patterns, budgets or other reporting), Financial Reporting (for aggregated statements) and Account Query and Monitoring (for periodic or one-time consent for monitoring of accounts) (ReBIT, n.a.).

[8] Tokenisation refers to the process of replacing sensitive data or personally identifiable data with unique identification symbols (referred to as the token) that retain all the essential information about the data without compromising its security. For instance, in 2018, the Unique Identification Authority of India (UIDAI) issued a circular stating that Aadhaar holders could start using temporarily-generated virtual IDs (tokens) in lieu of sharing their Aadhaar numbers for authentications for availing various services.

[9] Data Fiduciary is a term used in the draft Personal Data Protection Bill, 2018 to refer to any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data (MEITy, 2018).

[10] S(29), Chapter VII, draft Personal Data Protection Bill, 2018 (MEITy, 2018).

Chance or Skill: Fantasy Sports Leagues and Gambling

Posted on December 3, 2019December 13, 2019 by Tech Law Forum @ NALSAR

This piece has been authored by Karthik Subramaniam, a second year student at NALSAR University of Law. It discusses the debate surrounding Fantasy Gaming Leagues and gambling.

Spectator sports have been popular since time immemorial. fantasy sports leagues across the world have gained huge fan bases and manage to rake in massive revenues. The National Football League (NFL), the premier American Football tournament in the United States managed to generate revenue of around 13,680 million USD in 2017, which surpasses the GDP of almost 64 countries. Many individuals see these leagues as geese that lay golden eggs, thereby, motivating them to get involved.

Sports Fantasy leagues are games in which participants accumulate points based on the statistical accomplishments of the athletes they have selected to their teams based on a draft. One of the earliest published accounts of a fantasy sports involved Oakland businessman Wilfred “Bill” Winkenbach who devised fantasy golf in the latter part of the 1950s in the United States.With sports leagues such as the National Football League (NFL), the National Basketball Association (NBA), Major League Soccer (MLS), Major League Baseball (MLB) and the National Hockey League (NHL) present in North America, Fantasy Sports Leagues boasted almost 56.8 Million players in 2015. With people spending an estimated 11 Billion USD on online fantasy leagues in 2013, the need for regulations in the area becomes all the more important. The spending of so much money on a game where the pay-outs are highly uncertain draws a very fine line between such spending and the illegal act of gambling.

The Unlawful Internet Gambling Enforcement Act of 2006(UIGEA) is a legislation in the United States that regulates online gambling and ensures the protection of individuals operating in this rapidly booming field. The UIGEA prohibits gambling businesses from knowingly accepting payments in connection with the participation of another person in a bet or wager that involves the use of the Internet and that is unlawful under any federal or state law. The presence of this legislation has made gambling over the internet illegal. In fact, betting on sports is illegal in all American states apart from Nevada. The reason fantasy football and other such fantasy sports fall outside the ambit of being a gamble or wager is due to the UIGEA. The legislation says that games of “skill” played for a certain reward (money in most cases) can be permitted to continue online, while games that involve an element of “chance” cannot. UIGEA includes a specific exemption for fantasy sports from being considered as gambling, provided that they meet three essential requirements: 1) The value of the prize involved is entirely independent of the number of players involved, 2) the outcome is based on the relative knowledge and skill of the participants and determined by statistical results, and 3) the outcome cannot be determined by the score of the game or based solely on one individual player’s performance in a single real sporting event. These specific exceptions were carved out to accommodate the slowly growing (in 2005) industry of online fantasy gaming. In a letter dated Feb. 1, 2006, the top lawyers from the NFL, NBA, NHL and MLB asked members of Congress to co-sponsor UIGEA, which included the fantasy carve-out. The legality of the same has allowed many states to impose taxes on fantasy gaming, allowing them to join in on the money bandwagon as well.

The Indian standpoint on this is based on the differentiation between games involving chance, and games involving skill as well, as laid out in the American context.

The Fantasy Sports League sector in India has been gaining steam for a while. Recently, in April 2019, Dream11, a Mumbai-based fantasy gaming start-up became India’s first gaming unicorn. The online gaming revenue is expected to increase from around 2,000 crores in 2014 to around 11,900 crores in 2023. The sector has undergone a massive change over the last few years with people rapidly gaining interest.

The current Indian legislations that deal with gaming in India are the Public Gambling Act, 1867(PGA) and the Prize Competitions Act, 1955(PCA). The 1867 Act, being a pre-Independence legislation offers a colonial approach to gambling, which put forward a largely anti-gambling rhetoric.[1] While this legislation looks at predominantly criminalising gambling in most cases, it also tries to distinguish between betting on a “game of chance” and staking on a “game of skill” to provide a safe harbour to activities such as wagering on horse races which were extremely popular amongst the British. While the application of this legislation was limited to the erstwhile British presidencies, the adoption of the principle espoused by the statute in most state legislations illustrates a similar mind-set showcased by Indian states.

Very much like the UIGEA, the Indian position with respect to declaring online-fantasy games as legal lies on the emphasis given on “games of skill”. While the PGA does not clearly mention specific games that constitute as games of “mere skill”, Indian courts have by and large adopted the “dominant factor test” or “predominance test” which requires the court to analyses the case and verify if chance or skill “is the dominating factor in determining the result of the game”.[2] Courts have recognised that no game is a game of pure skill alone and almost all games involve an element, albeit infinitesimal, of chance.

Based on the above, Sports Fantasy games have been exempt from the provisions of the PGA and have been declared as a legitimate business activity protected under Article 19(1)(g) of the Constitution of India. With a high potential for growth in the Indian market, foreign entities have been looking at exploring possibilities in the country. The classification of games into those involving “skill” and those involving “chance”, in India has been very vague, and often left up to the interpretation of courts. In an era of growing acceptance and evolution there is a requirement of an effective legislation specifically classifying activities as illegal gambling, separating it from those involving preponderance of skill.

[1]Vivek Benegal, Gambling Experiences, Problems and Policy in India: A Historical Analysis, in 108, =&0=&, December 2013, 2062-2067.

[2]Dr. K.R. Lakshmanan v. State of Tamil Nadu, AIR 1996 SC 1153; State of Andhra Pradesh v. K. Satyanarayana, AIR 1968 SC 825.

Algorithms: Can They Collude?

Posted on November 19, 2019December 13, 2019 by Tech Law Forum @ NALSAR

This piece has been authored by Lokesh Vyas, a fourth year law student at Institute of Law, Nirma University, Ahmedabad. Here, he gives a lucid explanation of issues posed by the increasing use of algorithms.

The Cloak of Algorithms

Unlike the traditional market, the digital economy does not have any geographical limits. Thus, there is fierce competition among all the players. However, due to the unequal availability of resources, it is becoming increasingly difficult for new aspirants to join the market. The use of pricing algorithms, presently adversely affects the present landscape of online retail.

An algorithm is an established computational procedure that takes a set of values, as input and produces another set of values as output. A catena of algorithms is used in the market to create artificial transparency.^[1] These algorithms are called pricing algorithms because competitors in the market use them to set prices after gauging market behavior and competitors. They help competitors to outlive others through optimum pricing. Such a scenario creates artificial algorithmic transparency in the market. However, with an increase in such algorithms in the market, it becomes easy to predict the change in the market. An increase in the accuracy of such predictions, not only strengthens the dominance of certain competitors but also eliminates small competitors altogether, hindering consumer welfare.

Unilateral decision making, the right to make intelligent decisions is a fundamental right of any business, since they aim at maximizing profit. The exercise of such a right effectuates conscious parallelism which is a legitimate and obvious factor in any market. However, the artificial transparency that continues to exist due to algorithms enables competitors to control the market.

Further, the increasing transparency in the market creates interdependency among the competitors, thereby incentivizing collusion. Algorithms create a god’s eye view, enabling competitors to monitor activities in the market in real time. Market players are less likely to deviate because of the instantaneous fear of retaliation.

Hence, the algorithms become a cloak to escape liabilities under competition law. Such tacit collusion has not been considered not barred by the law.

Challenges

The primary question is, does traditional competition law accommodate the recent trends in the market such as pricing algorithms and if so, how? The challenge before competition law authorities is to detect whether tacit collusion exists among competitors, and whether it negatively impacts consumer welfare.

Additionally, questions about communication and liability arise. The absence of explicit communication is a major issue when considering collusion, because in order to prove collusion, there must be an existence of communication. Algorithms have enabled companies to escape the necessity of explicit communication.

Another issue associated with such algorithms is that of liability, because there is no human intervention which facilitates such tacit collusion. Thus, it becomes difficult for authorities to ascertain the liability of the final wrongdoer. The three possible assertions with respect to liability are; the liability of the person who invents such algorithms; the liability of the person who deploys them; the liability of the person who gains from such algorithms.^[2]

None of the above acts are explicitly prohibited by law unless a mala fide intention [intentional cartelization] to cause harm is proved. Competition law only outlaws bilateral or multilateral decision making by the competitors because it implies the existence of cartelization. By contrast, the adoption of pricing algorithms through undertakings merely enables them to attain dynamic pricing. The issue arises when competitors maximize their profit by colluding with each other, by entering into automatized virtual agreements. As per the current debate on algorithmic collusion, algorithms are used to facilitate an existing price agreement between the competitors. They simply act as intermediaries, as an extension of the human will. Alternatively, the algorithms are designed to result in a tacitly collusive result. Here, unilaterally designed algorithms learn to tacitly understand each other due to limited market characteristics. Presently, two scenarios emerge when considering algorithms that could cause collusion.

The first is the ‘messenger scenario’, since here algorithms acts as an instrument of collusion, including the implementation of agreed price adjustments as well as the monitoring of such agreements. An example of this is the US Department of Justice and UK Competition and Markets Authority’s proceedings regarding the distribution of posters through the Amazon Marketplace. Here, the companies involved initially agreed via e-mail that they would not underbid each other. After an attempt at the manual adjustment of prices had proved too complex, both companies used (different) repricing software. Pertinently, this software made it possible to monitor competitors’ prices and dynamically adjust one’s own prices according to those of competitors. The software was set so that the products were offered at the same price as long as no third (uninvolved) dealer with a lower price was active on the market.

In the second scenario, a collusive market comes about because the behavior of companies is canonically harmonized by using similar algorithms or by using algorithms which adapt to change in the others. Such agreements do not come under the general definition agreement, however there exists a tacit ‘meeting of mind’ among the competitors. Hence, the traditional definition of a contract under competition law needs to revisited in order to include such collusion. Notably, the definitions of an anti-competitive agreement under Section 3 of the Competition Act, 2002, Section 1 of the Sherman Antitrust Act, 1890, and Article 101 of the Treaty on the Functioning of the European Union do not cover mere ‘meeting of mind’ which exists due to such virtual agreements.

The use of algorithms in the market cannot be curbed altogether, since it would tremble the pillar of the digital economy. However, there is a need for regulatory policies to accommodate for the status quo. Pertinently, mutual price monitoring—the crux of tacit collusion which is not prohibited by Competition Law—must be addressed again.

The meaning of communication, a pre-requisite for constituting anti-competitive behavior also needs to be revisited to prevent ‘algorithm driven cartelization’. Pricing algorithms create a barrier for new entrants which in the long run affects market efficiency. Such a barrier is likely to impede the innovation in the market, which has direct nexus with consumer welfare.

Information Technology Act, 2000

There have been a lot of cases where e-commerce platforms and social media websites have been cleped as intermediaries, however, it is largely connected with the content uploading. Similarly, Section 2 of the recent Motor Vehicles (Amendment) Act, 2019 defined aggregators such as Uber and Ola as digital intermediaries or marketplaces which can be used by passengers to connect with cabs. The question of intermediary liability primarily deals with content uploading or verification, and attracts the applicability of IP laws or other criminal laws.

However, the competition in the market is so fierce today, that independent firms like Feedvisor and Intelligence Node have started offering algorithmic pricing as a service. Here, the question arises whether such firms are intermediaries under section 2(w) of Information Technology Act, 2000 and do not attract liability (see Section 79 of the Act) because they are a link that collects the information of various competitors and compares them to produce the best results for a third party. Thus, the applicability of the safe harbor provision on algorithm deploying companies also needs to be considered, since they are aware about the effects and utilization of these algorithms.

Algo 1- Algorithm P
Algo 2- Algorithm P

[The above diagram demonstrates a scenario where a common algorithm (Algo P) is used by two different business entities(Firm A & Firm B).]

Conclusion and Suggestions

There have been four approaches to solving the above problems so far:-

To broaden the interpretation of competition laws;
To insert new provisions in the existing legislation;
To use more rigorous alternative methods of dispute resolution; and
To act in a way that parallel consciousness would not happen.

The underlying assumption of all the above approaches is that algorithms are inherently perilous to the market and pose threats to the fair competition in markets. The heart of the entire pricing algorithms debate revolves around the term ‘contract’ which needs to be revisited and interpreted. The term contract/agreement connotes ‘meeting of mind’ and the meeting of mind suggest the intention of the parties to agree on something. The most strenuous task before the competition law agencies is to ascertain such intention even when such explicit agreement is lacking.In order to curb the above challenges, the intervention can either be in the form of making big legal changes (e.g. Expanding the scope of major offenses like cartelization and abuse of dominant position) or to come up with small interventions (such putting a cap on the price change for more than a certain number of times in a day).

Therefore, competition law authorities can retaliate to such changes by bringing enforcement algorithms which can detect deviant or anomalous behavior in the market and thwart them timely.

^[1] See Virtual Competition by Ariel Ezrachi and Maurice E. Stucke.

^[2] See Virtual Competition by Ariel Ezrachi and Maurice E. Stucke.

Figure taken from here.