Welcome to our fortnightly newsletter, where our reporters Kruttika Lokesh and Dhananjay Dhonchak put together handpicked stories from the world of tech law! You can find other issues here.
Private firm blocked from buying “.org” domain
A student-run group at NALSAR University of Law
This post has been authored by Unmekh Padmabhushan, a final year student of National Law University, Jodhpur.
Machine learning is the process by which a piece of software is able to expand upon its capabilities and knowledge in a self-driven manner without any significant human input. This technology has been used, for example, in disaster warning systems and in driverless cars. Another scholarly use of such technology allows robots to derive patterns and significant correlations from enormous databases of texts in a manner impossible for human beings. This has led to led to an explosion in the ability of those working in the field of the humanities to analyse data like their natural sciences counterparts have done for years. [1]
TLF is proud to bring you a two-part guest post authored by Ms. Malavika Raghavan, Head, Future of Finance Initiative and Ms. Anubhutie Singh, Policy Analyst, Future of Finance Initiative at Dvara Research. This is the second part of a two-part series that undertakes an analysis of the technical standards and specifications present across publicly available documents on Account Aggregators. Previously, the authors looked at the motivations for building AAs and some consumer protection concerns that emerge in the Indian context.
Account Aggregators (AA) appear to be an exciting new infrastructure, for those who want to enable greater data sharing in the Indian financial sector. The key data being shared will extensive personal information about individuals like us – detailing our most intimate and sensitive financial transactions and potentially non-financial data too. This places individuals at the heart of these technical systems. Should the systems be breached, misused or otherwise exposed to unauthorised access the immediate casualty will be the privacy of the people whose information is compromised. Of course, this will also have an impact on data quality across the financial sector.
TLF is proud to bring you a two-part guest post authored by Ms. Malavika Raghavan, Head, Future of Finance Initiative and Ms. Anubhutie Singh, Policy Analyst, Future of Finance Initiative at Dvara Research. Following is the first part of a two-part series that undertakes an analysis of the Account Aggregator system. Click here for the second part.
The Reserve Bank of India (RBI) released Master Directions on Non-Banking Financial Companies – Account Aggregators (Master Directions) in September 2016, and licences for India’s first Account Aggregators (AAs) were issued last year. From these guidelines and related documents, we understand that the purpose of Account Aggregator (AA) is to collect and share:
Israel spyware ‘Pegasus’ used to snoop on Indian activists, journalists, lawyers
In a startling revelation, Facebook owned messaging app WhatsApp revealed that a spyware known as ‘Pegasus’ has been used to target and surveil Indian activists and journalists. The revelation came to light after WhatsApp filed a lawsuit against the Israeli NSO Group, accusing it of using servers located in the US and elsewhere to send malware to approximately 1400 mobile phones and devices. On its part, the NSO group has consistently claimed that it sells its software only to government agencies, and that it is not used to target particular subjects. The Indian government sought a detailed reply from WhatsApp but has expressed dissatisfaction with the response received, with the Ministry of Electronics and Information Technology stating that the reply has “certain gaps” which need to be further investigated.
Further reading:
RBI raises concerns over WhatsApp Pay
Adding to the WhatsApp’s woes in India, just after the Israeli spyware Pegasus hacking incident, The RBI has asked the National Payments Corporation of India (NPCI) not to permit WhatsApp to go ahead with the full rollout of its payment service WhatsApp Pay. The central bank has expressed concerns over WhatsApp’s non-compliance with data processing regulations, as current regulations allow for data processing outside India on the condition that it returns to servers located in the country without copies being left on foreign servers.
Further Reading:
Kenya passes new Data Protection Law
The Kenyan President, Uhuru Kenyatta recently approved a new data protection law in conformity with the standards set by the European Union. The new bill was legislated after it was found that existing data protection laws were not at par with the growing investments from foreign firms such as Safaricom and Amazon. There was growing concern that tech giants such as Facebook and Google would be able to collect and utilise data across the African subcontinent without any restrictions and consequently violate the privacy of citizens. The new law has specific restrictions on the manner in which personally identifiable data can be handled by the government, companies and individuals, and punishment for violations can to penalties of three million shillings or levying of prison sentences.
Further reading:
Google gains access to healthcare data of millions through ‘Project Nightingale’
Google has been found to have gained access data to the healthcare data of millions through its partnership with healthcare firm Ascension. The venture, named ‘Project Nightingale’ allows Google to access health records, names and addresses without informing patients, in addition to other sensitive data such as lab results, diagnoses and records of hospitalisation. Neither doctors nor patients need to be told that Google an access the information, though the company has defended itself by stating that the deal amounts to “standard practice”. The firm has also stated that it does not link patient data with its own data repositories, however this has not stopped individuals and rights groups from raising privacy concerns.
Further reading:
Law professor files first ever lawsuit against facial recognition in China
Law professor Guo Bing sued the Hangzhou Safari Park after it suddenly made facial recognition registration a mandatory requirement for visitor entrance. The park had previously used fingerprint recognition to allow entry, however it switched to facial recognition as part of the Chinese government’s aggressive rollout of the system meant to boost security and enhance consumer convenience. While it has been speculated that the lawsuit might be dismissed if pursued, it has stirred conversations among citizens over privacy and surveillance issues which it is hoped will result in reform of existing internet laws in the nation.
Further reading:
Twitter to ban all political advertising
Twitter has taken the decision to ban all political advertising, in a move that increases pressure on Facebook over its controversial stance to allow politicians to advertise false statements. The policy was announced via CEO Jack Dorsey’s account on Wednesday, and will apply to all ads relating to elections and associated political issues. However, the move may only to prove to have symbolic impact, as political ads on Twitter are just a fraction of those on Facebook in terms of reach and impact.
Further reading:
In 2006, Clive Humby, a British mathematician said with incredible foresight that “data is the new oil”. Fast forward to 2019, we see how data has singularly been responsible for big-tech companies getting closer to and surpassing the trillion-dollar net worth mark. The ‘big 4’ tech companies, Google, Apple, Facebook and Amazon have incredibly large reserves of data both in terms of data collection (owing to the sheer number of users each company retains) and in terms of access to data that is collected through this usage. With an increasing number of applications and avenues for data to be used, the requirement of standardizing the data economy manifests itself strongly with more countries recognizing the need to have specific laws concerning data.
Standards may be defined as technical rules and regulations that ensure the smooth working of an economy. They are required to increase compatibility and interoperability as they set up the framework within which agents must work. With every new technology that is invented the question arises as to how it fits with existing technologies. This question is addressed by standardization. By determining the requirements to be met for safety, quality, interoperability etc., standards establish the molds in which the newer technologies must fit in. Standardization is one of the key reasons for the success of industrialization. Associations of standardization have helped economies function by assuring consumers that the products being purchased meet a certain level of quality. The ISO (International Standards Organization), BIS (Bureau of Indian Standards), SCC (Standards Council of Canada), BSI (British Standards Institute) are examples of highly visible organisations that stamp their seal of approval on products that meet the publicly set level of requirements as per their regulations. There are further standard-setting associations that specifically look into the regulation of safety and usability of certain products, such as food safety, electronics, automobiles etc. These standards are deliberated upon in detail and are based on a discussion with sectoral players, users, the government and other interested parties. Given that they are generally arrived at based on a consensus, the parties involved are in a position to benefit by working within the system.
Currently, the data economy functions without much regulation. Apart from laws on data protection and a few other regulations concerning storage, data itself remains an under-regulated commodity. While multiple jurisdictions are recognizing the need to have laws concerning data usage, collection and storage, it is safe to say that the legal world still needs to catch-up.
In this scenario, standardization provides a useful solution as it seeks to ensure compliance by emphasizing mutual benefit, as opposed to laws which would penalize non-adherence. A market player in the data economy is bound to benefit from standardization as they have readily accessible information regarding the compliance standards for the technology they are creating. By standardizing methods for collection, use, storage and sharing of data the market becomes more open because of increased availability of information, which benefits the players by removing entry barriers. Additionally, a standard-mark pertaining to data collection and usage gives consumers the assurance that the data being shared be used in a safe and quality-tested manner, thereby increasing their trust in the same. Demand and supply tend to match as there is information symmetry in the form of known standards between the supplier and consumer of data.
As per Rational Choice theory an agent in the economy who has access to adequate information (such as an understanding of costs and benefits, existence of alternatives) and who acts on the basis of self-interest, would pick that choice available to them that maximizes their gains. Given this understanding, an agent in the data economy would have higher benefits if there is increased standardization as the same would create avenues to access and usage in the market that is currently heading towards an oligopoly.
The internet has revolutionized the manner in which we share data. It has phenomenally increased the amount of data available on the platform. Anyone who has access to the internet can deploy any sort of data on to the same – be it an app, a website, visual media etc. With internet access coming to be seen as an almost essential commodity, its users and the number of devices connected to the Internet will continue to grow. Big Data remained a buzzword for a good part of this decade (2010’s), and with Big Data getting even bigger, transparency is often compromised as a result. Users are generally unaware of how the data collected from them is stored, used or who has access to it. Although, sometimes terms and conditions concerning certain data and its collection specify these things, it is overlooked more often than not, with the result that users remain in the dark.
There are 3 main areas where standardization would help the data economy –
With the increasing application of processed information to solve our everyday problems, the data economy is currently booming; however, large parts of this economy are controlled by a limited number of players. Standardization in this field would ensure that we move towards increased competition instead of a data oligopoly, ensuring increased competition that will ultimately lead to the faster and healthier growth of the data economy.
In 2018, Anthony Clement Rubin and Janani Krishnamurthy filed PILs before the Madras High Court, seeking a writ of Mandamus to “declare the linking of Aadhaar of any one of the Government authorized identity proof as mandatory for the purpose of authentication while obtaining any email or user account.” The main concern of the petitioners was traceability of social media users, which would be facilitated by linking their social media accounts with a government identity proof; this in turn could help combat cybercrime. The case was heard by a division bench of the Madras HC, and the scope was expanded to include curbing of cybercrime with the help of online intermediaries. In June 2019, the Internet Freedom Foundation became an intervener in the case to provide expertise in the areas of technology, policy, law and privacy. Notably, Madras HC dismissed the prayer asking for linkage of social media and Aadhaar, stating that it violated the SC judgement on Aadhaar which held that Aadhaar is to be used only for social welfare schemes.
Facebook later filed a petition before the SC to transfer the case to the Supreme Court. Currently, the hearing before the SC has been deferred to 13 September 2019 and the proceedings at the Madras HC will continue. Multiple news sources reported that the TN government, represented by the Attorney General of India K.K. Venugopal, argued for linking social media accounts and Aadhaar before the SC. However, Medianama has reported that the same is not being considered at the moment and the Madras HC has categorically denied it.
Further Reading:
Adding to the chaos and despair for the Rohingyas, the Bangladeshi government banned the use of mobile phones and also restricted mobile phone companies from providing service in the region. The companies have been given a week to comply with these new rules. The reason cited for this ban was that refugees were misusing their cell phones for criminal activities. The situation in the region has worsened over the past two years and the extreme violation of Human Rights is termed to be reaching the point of Genocide according to UN officials. This ban on mobile phones, would further worsen the situation in Rohingya by increasing their detachment with the rest of the world, thus making their lives at the refugee camp even more arduous.
Further Reading:
Alphabet Inc.’s Google and YouTube will be paying a $170 million penalty to the Federal Trade Commission. It will be paid to settle allegations that YouTube collected the personal information of children by tracking their cookies and earning millions through targeted advertisements without parental consent. The FTC Chairman, Joe Simons, condemned the company for publicizing its popularity with children to potential advertisers, while blatantly violating the Children’s Online Privacy Protection Act. The company has claimed to advertisers, that it does not comply with any child privacy laws since it doesn’t have any users under the age of 13. Additionally, the settlement mandates that YouTube will have to create policies to identify content that is aimed at children and notify creators and channel owners of their obligations to collect consent from their parents. In addition, YouTube has already announced that it will be launching YouTube Kids soon which will not have targeted advertising and will have only child-friendly content. Several prominent Democrats in the FTC have criticized the settlement, despite it being the largest fine on a child privacy case so far, since the penalty is seen as a pittance in contrast to Google’s overall revenue.
Further Reading:
Recently, researcher Sanyam Jain located online unsecured servers that contained phone numbers for over 419 million Facebook users, including users from US, UK and Vietnam. In some cases, they were able to identify the user’s real name, gender and country. The database was completely unsecured and could be accessed by anybody. The leak increases the possibility of sim-swapping or spam call attacks for the users whose data has been leaked. The leak has happened despite Facebook’s statement in April that it would be more dedicated towards the privacy of its users and restrict access to data to prevent data scraping. Facebook has attempted to downplay the effects of the leak by claiming that the actual leak is only 210 million, since there are multiple duplicates in the data that was leaked, however Zack Whittaker, Security Editor at TechCrunch has highlighted that there is little evidence of such duplication. The data appears to be old since recently the company has changed its policy such that it users can no longer search for phone numbers. Facebook has claimed that there appears to be no actual evidence that there was a serious breach of user privacy.
Further Reading:
Addressing the growing data protection concerns Mozilla Firefox will now block third party tracking cookies and crypto miners by its Enhanced Tracking Protection feature. To avail this feature users will have to update to Firefox 69, which enforces stronger security and privacy options by default. Browser’s ‘Enhanced Tracking Protection’ will now remain turned on by default as part of the standard setting, however users will have the option to turn off the feature for particular websites. Mozilla claims that this update will not only restrict companies from forming a user profile by tracking browsing behaviour but will also enhance the performance, User Interface and battery life of the systems running on Windows 10/mac OS.
Further Readings
Delhi airport would be starting a three-month trial of the facial recognition system in its T3 terminal. This system is called the Biometric Enabled Seamless Travel experience (BEST). With this technology, passenger’s entry would be automatically registered at various points such as check-in, security etc. Portuguese company- toolbox has provided the technical and software support for this technology. Even though this system is voluntary in the trial run the pertinent question of whether it will remain voluntary after it is officially incorporated is still to be answered. If the trial run is successful, it will be officially incorporated.
Further Reading:
In one of the first cases of its kind a British court ruled that police use of live facial recognition systems is legal and does not violate privacy and human rights. The case, brought by Cardiff resident Ed Bridges, alleged that his right to privacy had been violated by the system which he claimed had recorded him at least twice without permission, and the suit was filed to hold the use of the system as being violative of human rights including the right to privacy. The court arrived at its decision after finding that “sufficient legal controls” were in place to prevent improper use of the technology, including the deletion of data unless it concerned a person identified from the watch list.
Further Reading:
This post, authored by Mr. Srikanth Lakshmanan, is part of TLF’s blog series on Account Aggregators. Other posts can be found here.
Mr. Srikanth Lakshmanan is the founder of CashlessConsumer, a consumer collective working on digital payments to increase awareness, understand technology, represent consumers in digital payments ecosystem to voice perspectives, concerns with a goal of moving towards a fair cashless society with equitable rights.
The San-Francisco cab-aggregator giant, Uber is working on to kick-start an AC bus service in India. With the introduction of AC bus service, Uber is trying to inch closer toward its goals of reducing individual car ownership, expanding transportation access and helping governments plan transportation. Pradeep Parameswaran, Uber India and South Asia head said that “we are in the process of building the product and refining that. Some pilots are live in parts of Latin America and the Middle East. So they are the archetype of markets that would look like India”.
Uber bus will allow commuters to use the Uber app and reserve their seat on an air-conditioned bus. Uber will scan other passengers travelling in the same direction as the rider and hence reaching the destination with fewer stops. Through its bus service, Uber is emphasizing on educational campuses and business centers. Earlier Ola, Uber’s direct competitor, had launched similar kind of bus service in limited cities in 2015 but was stopped in 2018. At present, Gurgaon based Shuttl provides app based bus service to offices. Uber bus service in India is expected to become a reality in mid-2020.
Further Reading:
The Israeli Research Company, Check Point recently revealed that WhatsApp could be hacked causing serious potential security risks to users at the Annual Black Hat Security Conference on 7thAugust, 2019. According to Roman Zaikin and Oded Vanunu, they were able to change the identity of a sender, alter the text of someone’s reply on a group and even send private messages to another member in the group as a public message, such that the reply is visible to all the participants of a group. They were able to exploit the weaknesses of the application, after they reverse-engineered the source code in 2018 and decrypt its traffic. Since then Check Point has stated that it found three ways to manipulate and alter conversations, all of which are exploited through its quoting feature. The creators did warn WhatsApp in 2018 that the tool could be used by ‘threat actors’ to create and spread misinformation and fake news. Facebook has responded stating that the risk is not serious, and to alter the application would mean having to store data about the sender, leading to lesser privacy for its users.
Further Reading:
Several privacy commissioners across the world raised concerns over the privacy policy of Facebook’s new Libra digital currency. The countries which have raised concerns are US, UK, EU, Australia, Canada, Albania and Burkina Faso.
Calibra is the new subsidiary of Facebook and its cryptocurrency is called Libra. Calibra hopes to build a financial service on top of the Libra Blockchain. The privacy concerns raised go beyond the question of financial security and privacy because of the expansive collection of data which Facebook accumulates and has access to. Calibra issued a statement that user information will be shared in only certain circumstances but there is no definite understanding of what such situations are.
Apart from privacy concerns, the joint statement issued by the countries includes several concerns on whether Facebook should be given the right to get involved in the banking sector. If they did, they should seek a new banking charter and should be regulated by all the banking laws. These were few of the concerns raised by privacy commissioners.
Further Reading:
University of Oxford researcher James Pavur successfully exposed a design flaw in the GDPR, as a bogus demand for data using the “right to access” feature of the regulation saw about one in four companies reveal significant information about the person regarding whom the request was made. Data provided by the companies contained significant information including credit card information, travel details, account passwords and the target’s social security number, which was used by the researcher as evidence of design flaws in the GDPR. Pavur also found that large tech companies did well when it came to evaluating the requests, whereas mid-sized business didn’t perform as well despite being aware of the coming into force of the data protection regulation.
Further Reading:
Human reviewers will no longer be used to study conversations recorded by Siri, according to a recent announcement by Apple. The move gives users a greater degree of privacy over their communications, and analysis of recordings will be suspended while the “grading” system deployed by the company is reviewed. The system refers to the manner in which contractors grade the accuracy of the digital assistant’s voice recognition system, with the primary task being to determine the phrase that triggered action by i.e. whether the user had actually said, “Hey, Siri” or if it was something else.
Further Reading:
The past month saw a slew of antitrust investigations being opened against big tech companies such as Facebook, Google, Amazon, etc. From the EU’s announcement of an investigation into Amazon’s use of third-party retailers’ data, to the CCI’s order against Google for abusing its dominance in the Android market—the wave against Big Tech’s threats to fair competition has spanned jurisdictions.
In the latest development, the US Justice Department has decided to open a broad investigation into Big Tech companies. The investigation follows bipartisan calls from lawmakers for reigning in the threats posed by big tech to the competitive market. According to the agency, the effort aims to explore grievances raised by consumers and business regarding search, social media and online retail services. This could lead to a heightening of calls for Amazon, Google and Facebook to be broken up. Such companies, especially Facebook, have already faced heat for the way they handle vast amounts of data and jeopardise privacy of individual people.
Further Reading:
Spelling further trouble for Big Tech, The Australia Competition and Consumer Commission (ACCC) submitted the Digital Report Inquiry on 26 July, 2019 which limits the market dominance of major players including Facebook and Google. The report had 23 recommendations to promote competition and increase privacy of consumers due to the lack of informed consent of consumers that presently exists. Josh Frydenberg, the treasurer of the ACCC, stated that a new division would “lift the veil” on the advertising and marketing algorithms being used by these companies. The division would also be able to conduct public inquiries and require companies to furnish any relevant information. Inquiries can be held about supply of ad services, sufficient transparency over prices and the existence of competition within the market. The report also recommended the implementation of the Australian Law Commission Report, which suggested the introduction of a statutory tort for serious invasions of privacy and a general prohibition on all unfair trade practices. Additionally, the Chairman of the ACCC, Rod Sims, stated that five investigations were underway against Facebook and Google and more could follow.
Further Reading:
The Protection of Children from sexual Offences (POCSO) Amendment Bill, 2019 introduced in Rajya Sabha by the Women and Child Development Minister Smriti Irani widened the definition of child pornography that now goes beyond videos. The amended definition now involves any photography, video, digital or computer-generated image indistinguishable from an actual child, and image created, adapted, modified, but appears to depict a child. A new section 15 has also been introduced, which proposes penalties for storage and possession of pornographic material involving children. Although the bill succeeded in garnering support from across the political spectrum, but few MPs criticised the bill for overtly emphasising on punishing the offenders and neglecting the measures to curb sexual assault of children and child pornography.
Further Reading:
The Indian cryptocurrency market received a major jolt on 22nd July 2019, with the Inter-Ministerial Committee set up under the Chairmanship of Economic Affairs Secretary Subhash Chandra Garg recommending a ban on the use of such cryptocurrencies in India. Set up to look into the legality of cryptocurrencies and blockchain technology, the Committee submitted that private currencies should be completely banned in India, and drafted the Banning of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019 which mandates a fine and imprisonment of up to 10 years for offences involving the use of such currencies. However, the Committee approved of the advantages of the underlying blockchain technology and floated the idea of an official RBI-backed cryptocurrency in the future, perhaps suggesting that the future of cryptocurrencies is yet to be resolved.
Further Reading:
Proclaimed to be among the most valuable start-ups in the world, ByteDance plans to invest USD 1 Billion in India over the next three years. ByteDance is the parent company of TikTok, a Chinese video making app which allows users to create and share videos online. On July 17th 2019, the cyber e-security arm of the Ministry of Electronics and Information Technology sent a notice to TikTok and Helo raising issues related to anti-Indian activities. They were given an ultimatum to respond by July 22nd or face severe consequences. Previously, they had also faced a one week ban in April 2019. Despite all these encumbrances, ByteDance has a promising plan for India. It plans on investing USD 1 billion over the next three years. They would also be increasing the number of employees in India to 1000 by the end of this year. ByteDance implemented several regulatory and safety measures in order to comply with the cultural and political ideologies of the country.
Further Reading: