Search Results for: data protection

The Issue of Artificial Intelligence and its Regulation

Posted on by Tech Law Forum @ NALSAR

[Ed Note: The following post is part of the TLF Editorial Board Test 2019-20. It has been authored by Siddharth Kothari, a second year student of NALSAR University of Law.]

In an era of unprecedented technological advancements across different fields, Artificial Intelligence (AI) is poised to quiver our lives. AI refers to “a class of computer programming designed to solve problems requiring inferential reasoning, decision-making based on incomplete or uncertain information, classification optimisation and perception.”[1] Initially imagined as a technology that could mimic human smartness, AI is set out to exceed far ahead of its original conception.

Read more

Conundrum of Right to Be Forgotten: An Analysis of The Slippery Slope: To Forgive, Forget or Re-Write History

Posted on by Tech Law Forum @ NALSAR

[Ed Note : In a slightly longer read, Pranay Bhattacharya, a second year student of Maharashtra National Law University (MNLU) Aurangabad talks about the origins and development of the “Right to be Forgotten,”, using this as a background to critically analyze this right as present in India’s Draft Personal Data Protection Bill 2018.]

“Blessed are the forgetful, for they get the better even of their blunders.”

Read more

The Dark Web : To Regulate Or Not Regulate, That Is The Question.

Posted on by Shweta Rao

[Ed Note : In an interesting read, Shweta Rao of NALSAR University of Law brings us upto speed on the debate regarding regulation of the mysterious “dark web” and provides us with a possible way to proceed as far as this hidden part of the web is concerned. ]

Human Traffickers, Whistleblowers, Pedophiles, Journalists and Lonely-Hearts Chat-room participants all find a home on the Dark Web, the underbelly of the World Wide Web that is inaccessible to the ordinary netizen.  The Dark Web is a small fraction of the Deep Web, a term it is often confused with, but the distinction between the two is important.

Read more

TechLaw Symposium at NALSAR University of Law, Hyderabad – Press Note

Posted on by Tech Law Forum @ NALSAR

[Ed Note : The following press note has been authored by Shweta Rao and Arvind Pennathur from NALSAR University of Law. Do watch  this space for more details on the symposium!]

On the 9th of September NALSAR University of Law’s Tech Law Forum conducted its first ever symposium with packed panels discussing a variety of issues under the broad theme of the Right to Privacy. This symposium took place against the backdrop of the recent draft Data Protection Bill and Report released by the Srikrishna Committee.

Read more

Privacy & Transparency as Complementary Rights: Inadequacies in the Proposed Amendments to the RTI Act

Posted on by Tech Law Forum @ NALSAR

[Ed Note : The following cross – post, authored by Sayan Bhattacharya of NALSAR University of Law, was first posted on the Law School Policy Review. The link to the same can be found here. ]

By leaving essential terms undefined and placing a higher burden to disclose personal information, the amendments proposed by the Srikrishna Committee are defeating the purpose of a right to privacy i.e. to make the state more transparent and the citizen less transparent.

Read more

Regulation of Artificial Intelligence : The Way Ahead

Posted on by Tanvi Apte

The “employee” at JP Morgan called COIN,  “recruited” in June 2017, is highly efficient to say the least. It does work that earlier took 3,60,000 hours in a matter of seconds. Meanwhile, in a few developed countries ghost cars that are programmed to “drive themselves”, that is, driverless cars, are hitting the roads. On the military front, among other machines, Russia has created a semi – autonomous robot soldier called Ivan that can accurately copy the movements of a human. Attempts are being made to make Ivan fully autonomous. If Russia can create one Ivan, in time, it can also create an army of Ivans. USA also has similar “soldiers”.

The above examples are just a few of the more glamourous applications of what is called “artificial intelligence” (AI). AI is a simulation of human intelligence processes undertaken by computer systems. These processes include learning, computing, reasoning and the like. AI – powered machines are programmed through use of mathematical algorithms that can discover patterns and generate insights from data they are exposed to. These algorithms enable them to perform certain tasks that have been mathematically “fed” into their “brain”, thereby dictating their working. The global AI market is estimated to grow at 36.1% from 2016 to 2024 to reach a valuation of 3,061 Billion USD. Thus, the staggering potential of AI technology can never be understated, as will also be seen through the scope and impact of its applications.

There are three main categories of AI called Narrow AI, General AI and Super AI – in increasing order of complexity and automation capacity. Narrow AI, that is, machines which fulfill a particular purpose only, is surprisingly pervasive in our daily lives – right from the “Cortana” on Windows Operating Systems to the “Dr. Watson” present in IBM. General AI, largely not achieved yet, refers to machines that can perform several automated tasks at human capacity but are still guided through human control. An example is Tony Stark’s “Jarvis” in the Iron Man movies. Super AI, also not yet achieved, refers to fully automated robots with capacity beyond human ability – in other words, superhumans, like Arnold Schwarzenegger in “Terminator”.

With high potential of use invariably comes high potential of misuse, as has also been illustrated by Cambridge University’s ground – breaking report co -authored by 26 renowned experts on technology. Apart from technological errors, AI powered machines are at a constant risk of being hacked and used maliciously. For instance, the program of a driverless car can be tampered with to make it a kill – machine. AI can also be used to create highly realistic fake audio and video to induce certain consequences such as the alleged use of pro – Trump robots during the previous elections and their impact. Further, AI machines make our day – to – day lives more vulnerable to invasion of privacy as it becomes that much easier to secretly keep a watch on us all the time –  an example being AI- powered machines being used for state sponsored underhand surveillance, as is allegedly happening in China. To cut a long story short, the actual and potential ways to misuse AI is unending. This is where the possibility of regulation arises.

It is important to note that there already exist laws which regulate use of AI like those on privacy, data protection and cybersecurity. For example, even under the current regulatory framework, using an AI- powered machine to snoop into people’s houses will attract punishment under the relevant laws. Thus, the presence of existing regulation narrows the regulatory scope of AI. In this light, requirement of regulation now arises to either cope better with the current situation or to cope with a completely new situation unforeseen by the existing framework.

Looking at the present stage of development AI is in, the need of the hour is specific rules to cope better with the current situation, just like there are safety guidelines for hazardous industries or permissible lead levels in foodstuffs. Similar industry – centric rules like technical guidelines and disclosure requirements based on the nature of particular AIs will go a long way in ensuring accountability today. Such targeted regulation has several advantages, as has been seen with USA’s driverless – car regulatory policy. Firstly, specific regulation means an explicit statement by the law that it has an eye on AI which will deter potential misusers. Secondly, regulation will help achieve quality control. For example, it will ensure quality driverless cars that will actually help reduce accidents by eliminating human errors associated with driving. Thirdly, and most importantly, regulation will increase people’s faith in AI. A person is more likely to sit in a driverless car which he knows has to legally meet certain safety standards rather than one which does not, since the former gives him a better assurance of safety. Further, if people become more secure about the AI machines they are presently using, the popularity of AI will only increase, leading to win-win situation. Thus, the specific regulation will actually boost the AI industry rather than pull it down.

The requirement of specific rules to beef up the current framework thus being established, the question now is whether at this stage in time, additional rules are required in order to be prepared for a change in the current situation, that is, development of General and Super AI – machines which operate at or beyond human capacity. In this regard, there are fears that superhuman robots might go out of human control and prove to be an existential threat to humanity, much like the way Dr. Banner’s experiments in the “Hulk” movie turned out. Proponents of this “existential threat” theory have compared AI experiments to “children playing with a bomb”. As Elon Musk puts it, if AI goes out of human control, it would be an “immortal dictator from which we can never escape.” What Musk and several others, including Stephen Hawking, are trying to say is that because of the destructive potential of uncontrolled AI, its regulation should be proactive rather than reactive to be on the safe side. It is thus argued that the mere possibility of out – of – control robots (whenever they might develop) is enough to regulate now, the risk of unpreparedness being too great.

On the other hand, opponents of the “existential threat” theory like Mark Zuckerberg and bill Gates argue that firstly, such a situation is much too far-fetched and uncertain. Secondly, even if we decide to regulate, there is simply nothing to specifically regulate against. Such regulation is like shooting arrows in the dark. Legislation requires some kind of a base and that is absent here, since there is no concrete idea of when such robots will develop and what their characteristics will be. We cannot overreact and make laws, especially when regulation is coming at the cost of curbing innovation. Any law regulating AI will have the effect of limiting the freedom to experiment and curtailing technological growth, just like imposing sanctions on news channels has a chilling effect on the freedom of speech and expression. Further diminishing the need to regulate is the fact that the wide but uncertain scope of AI induces an inbuilt chilling effect already. For instance, to a scientist, irrespective of the legal framework, the fear that he might create armed cyborgs already constitutes a chilling effect in itself.  Further, each country will try to outdo the other in AI development, thus creating a prisoner’s dilemma situation that makes domestic regulation all the more difficult. Thus, the “existential threat” theory does not prompt regulation today.

The above arguments present a regulatory dilemma. While on one hand it is imperative to be prepared before it is too late in case the “existential threat” theory comes true, there is no concrete way to know what exactly to prepare against and when. In other words, it is too early to regulate AI now but there is no saying when it will become too late to regulate AI.

The answer to this dilemma is to take the middle ground, that is, develop broad general principles (like say, mandatory presence of a “kill switch” in every AI machine) and wait for the right time to come up with specifications, this “right time” being when technological progress clearly points towards development of advanced forms of AI with a clue as to what their specific characteristics will be. Existing principles along these lines include Asimov’s evergreen “Three Laws of Robotics” and the recently coined Alisomar Principles, which are a set of 23 guidelines to curb potential AI – related harm signed by about 1,200 AI researchers and over 2,300 others. Greater, more inclusive collaboration at the international level is essential to formulate more such principles that will ensure preparedness to cope with the future.

To conclude, presently, AI should be regulated in two ways – through specific industry – centric rules and universal general principles. While the former will help tighten the existing framework and ensure greater accountability and safety of the public, the latter will keep mankind prepared for the future developments that might take place in the AI field considering the fact that the consequences of neglecting possible AI development are too severe. Such a balanced regulatory framework will thus help cope with the both the realities as well as the implications of AI progress.

Other supporting links –

https://analyticsindiamag.com/russia-prepares-future-wars-array-ai-based-arsenal/

https://www.nytimes.com/2017/09/01/opinion/artificial-intelligence-regulations-rules.html

http://issues.org/33-4/perspective-should-artificial-intelligence-be-regulated/

https://www.technologyreview.com/s/608296/elon-musk-urges-us-governors-to-regulate-ai-before-its-too-late/

https://theconversation.com/does-regulating-artificial-intelligence-save-humanity-or-just-stifle-innovation-85718#

https://www.huffingtonpost.com/entry/should-artificial-intelligence-be-regulated_us_597a452de4b09982b737630c

http://money.cnn.com/2018/02/21/technology/malicious-artificial-intelligence-use-warning-cambridge/index.html

 

Read more

The Week That Was: 25/08/2017

Posted on by Tech Law Forum NALSAR

In this second edition of The Week That Was, we find…

  • The 9 Judge Bench of the Supreme Court of India unanimously held that Privacy is a Fundamental Right under Part III of the Constitution of India and gave hope to the LGBT+ community, and may have implications for SEBI’s move to link with Aadhaar, the Beef Ban, among other things

    In their recent Valut 7 Publication, WikiLeaks published secret documents from the ExpressLane project of the CIA. The Office of Technical Services, a branch within the CIA, has a biometric collection system that is provided to liaison services around the world — with the expectation for sharing of the biometric takes collected on the systems. The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. CrossMatch had received certification from STQC India for India’s UID Program (Aadhaar)

    • See more on: BusinessWire, GreatGameIndia News, FactorDaily, WikiLeaks.

      CrossMatch Aadhaar Kits are one Google Search Away

      The Director General of Civil Aviation (DGCA) plans to introduce a remote pilot licence for operating drones and is expected to release draft norms for regulating the use of automated aerial vehicles (AAVs).

      Ahead of Gurmeet Ram Rahim’s rape case verdict where he was subsequently held guilty Mobile Internet Services remained suspended in Haryana, Punjab and Chandigarh for around 72 hours. Following the verdict, it has been reported that (at the time of writing this post) at least 30 people have been killed and more than 250 injured. The Punjab and Haryana High Court reportedly stated that losses incurred due to violence should be recovered from selling the properties of Ram Rahim Singh. Section 144 CrPC has been imposed in 11 districts of Delhi including New Delhi.

      Meanwhile, Internet Services continue to be blocked in Darjeeling, West Bengal for more than two months. Services had been blocked in the town following deaths of party supporters in violent clashes between the Gorkha Janmukti Morcha and security forces .

      Cardiotrack, a startup which claims to use Artificial Intelligence (AI) for predicting and diagnosing cardiac diseases, disorders and ailments has tied up with Columbia Asia Hospitals in Bangalore to predict heart condition.

      The National Payments Corporation of India (NPCI) instructed its member banks to ensure that their applications be equipped to read both UPI QR as well as BharatQR by 15th September 2017.

      The Electronic Frontier Foundation released a 10+ Year brief history on Activists being silenced on the Internet and Internet Intermediaries’ Long History of Censorship.

      • See more on: EFF.

      Berlin’s Südkreuz station has been investigating how well surveillance cameras and computers can automatically recognize the faces of passersby. It is claimed that this could track terror suspects and help prevent future attacks.

      Germany seeks to draw up legal guidelines for the operation of driverless cars. The guidelines observe that the software that controls such cars must be programmed to avoid injury or death of people at all cost, that in cases of an unavoidable accident, the software must choose whichever action will hurt people the least, even if that means destroying property or hitting animals in the road.

      A Russian regulation which requires Russian operators of communication networks (mobile operators and internet providers) to record and store records of communications between all users for at least six months, and provide such data to the authorities at their request, could be in EU’s General Data Protection Regulation 2016/679.

      Internet overuse could lead to individuals becoming vulnerable to many neuropsychiatric dysfunctions such as irritation, anxiety, obsessive compulsion according to a report by research by Etiologically Elusive Disorders Research Network (EEDRN) which is an umbrella body of medical/research institutes of India including All India Institute of Medical Sciences, New Delhi, National Brain Research Centre, Haryana, and Ambedkar Centre for Biomedical Research, Delhi.

      FBI arrested a Chinese national who is facing charges related to the malware used in the 2015 data theft from the Office of Personnel Management computer systems — a breach that exposed the personal information of millions of people — according to US officials briefed on the investigation

      The Department of Justice used a Search Warrant to get data on all information available to DreamHost (a webshost) on all information available to it on an Anti-Trump Site, a website that organized participants of political protests against the current United States administration. The new warrant parameters exclude most visitor logs from the demand, set a temporal limit for records from July 1, 2016 to January 20, 2017, and also withdraw the demand for unpublished content, like draft blog posts and photos.

      • The D.C. Superior Court stated that the government must disclose to the court who will search the material and what process they will use, That information seized by prosecutors not be shared with other federal agencies, and that data not related to the investigation be put under seal with the court and not accessible to the government without additional permission. Free Speech activists however believe some concerns remain
      • See more on: Politico, SCMedia,Popehat, DreamHost, WashingtonPost, PeopleForTheAmericanWay, EFF, Reuters, BuzzFeedNews

      A computer programmer at the Multi-State Lottery Association, secretly installed software that allowed him to pick winning numbers and was collecting money from jackpots in multiple states and now faces up to 25 years in prison.

      • See more on: CNBC.

      The Temer Administration in Brazil signed an order to open a public consultation to alter the “composition, election process and the powers” of Brazil’s Internet Steering Committee.

      Daily Stormer, a white supremacist website was blacklisted by Google’s domain service, GoDaddy, Cloudfare, SquareSpace, Zoho, Sengrid, NameCheap among other service providers. The Russian Network Information Center (RU-CENTER) registered the domain Dailystormer.ru, however, it was later blocked when Roskomnadzor, the Russian media watchdog asked for it to be taken down because of extremist content. A supposedly new version of the notorious neo-Nazi and white supremacist site Daily Stormer hosted by DreamHost was later DDoS’ed.

      Alphabet Inc.’s Google lost a bid to overturn a magistrate judge’s order forcing the company to turn over Gmail data stored abroad in response to a federal warrant.

      • See more on: Bloomberg BNA.

        An activist in Thailand was jailed for sharing an article on Facebook which was found to violate Thailand’s strict lese majeste laws against insulting, defaming, or threatening the monarchy.

        • See more on: EFF.

        A hacker under the pseudonym ‘xerub’ published what they claim to be the decryption key for Apple iOS’ Secure Enclave Processor (SEP) firmware.The secure ​enclave handles the processing of fingerprint ​data from ​the ​​touch​​ID ​​sensor ​​and determines ​​if ​​it ​​is ​​a ​​match​​ or​​ not​​ while ​​it ​​also enables ​​access ​​for ​​purchases ​​for​​ the ​​user. While ‘xerub’ and Apple state that ​ user data would not be at risk from this leak. Apple has reportedly yet to confirm the validity of the key.

        In the West Bank, the Palestinian authorities have arrested six journalists in August so far, shut down 29 websites and introduced a controversial Electronic Crimes Law imposing tight controls on media freedom and banning online expression and dissent

        In a case similar to Cross v Facebook reported on the earlier edition of The Week That Was, Facebook defeated another case over not removing user comments. The plaintiff, Paree La’Tiejira, who has been an adult entertainer, was apparently questioned of her birth gender in the past and a Facebook user posted a comment on her Facebook page accusing her of having been born male among other things. Facebook won the anti-SLAPP motion having qualified under Section 230 Communications Decency Act protection.

        In a lawsuit alleging price fixing against Uber and its former CEO Travis Kalanick. Uber (and Kalanick) moved to compel arbitration on the basis of the arbitration clause in Uber’s terms of service. The district court found that Uber’s sign-up process failed to effectively form an agreement, The Second Circuit reversed the order.

        In another case, the plaintiff allegeed that Ticketmaster violates the ADA for admission ticket and parking sales for Levi’s Stadium, Ticketmaster sought to send the case to arbitration. The Court ruled in favour of Ticketmaster

        In a case on White-on-White text Trademark usage, Agdia claimed that the defendant, in 2007, put the Agdia trademark in white-on-white text on over 200 pages. Even though Google had long configured its algorithms to ignore white-on-white text. Agdia claimed that the defendant’s website was still showing up for its branded organic searches as late as 2015. The defendants moved for summary judgment, their motion was denied.

        hiQ Labs, a talent management algorithm scraped LinkedIn public profiles and offered two products, entirely predicated on LinkedIn-scraped data: (1) a prediction to employers which employees were mostly likely to be recruited away, and (2) a summary of employee skills. LinkedIn sent a cease and desist letter telling hiQ to stop scraping or face litigation. The parties tried to resolve the dispute but were unable to. hiQ then filed a preemptive lawsuit seeking declaratory relief, and sought a preliminary injunction allowing it to access public LinkedIn profiles pending resolution of the dispute. However, Goldman notes that it would be shocking if “this ruling survives any appeal intact…”

        Bankers Life, a company that sells insurance and financial products, sued one of its ex-employees (and his new employer, ASB) alleging among other things that the ex-employee violated his non-solicitation covenant through his communications on social media. It was argued that LinkedIn requests sent by Gelineau violated his non-solicitation clause. It was held that the connection request didn’t violate the non-solicitation clause. Bankers Life’s request for additional discovery was also denied

        SunFrog, a Print-on-Demand website prints user-uploaded designs on T-shirts and other merchandise. Users uploaded Harley-Davidson logos to produce what Harley considered counterfeit T-shirts. The Court issued a Trademark Injunction against the website.

        Craiglist won a $31 Million in a case against Instamotor an online and app-based used car listing service, over claims that Instamotor scraped craigslist content to create listings on its own service and sent unsolicited emails to craigslist users for promotional purposes.

        Delaware’s Governor John Carney Jr. signed SB 69 into law. This would explicitly authorize the use of distributed ledger technology (“blockchain”) in the administration of Delaware corporate records, including stock ledgers. This opens the door for such companies to issue, execute, settle, redeem and trade stock in such a way as to harness the benefits of the blockchain.

        Plaintiff Matt Hosseinzadeh published a video skit featuring the “Bold Guy” character, “Bold Guy vs. Parkour Girl” video. Ethan and Hila Klein created a “reaction video” to it. In addition to a copyright claim, Hosseinzadeh sued over the Kleins’ allegedly misleading DMCA counter-notice and their statement about the lawsuit. The Kleins won a summary judgment on grounds of fair use.

        A two Judge Bench of the Supreme Court of India held that the live feed received by Prasar Bharati from content rights owners or holders is only for the purpose of re-transmission of the said signals on its own terrestrial and DTH networks.

        • See more on: SCC Online Blog.
        • Find the case Union of India v. Board of Control for Cricket in India, 2017 SCC OnLine SC 991, decided on 22.08.2017 here.

        Elon Musk’s OpenAI software has become the first AI to beat one of the world greatest eSports athletes Danil “Dendi” Ishutin in Dota2

        A U.S. appeals court on Monday upheld the conviction of a former New Jersey-based high-speed trader who was found guilty in the first U.S. criminal trial involving the manipulative trading practice known as spoofing.

        • See more on: Reuters.
        • Find the case U.S. v. Coscia, 7th U.S. Circuit Court of Appeals, No. 16-3017 here.

        Maryland’s Personal Information Protection Act has been amended to expand the definition of personal information, modify the definition of breach of the security of the system, provide a 45-day timeframe for notification, allow alternative notice for breaches that enable an individual’s email to be accessed, and expand the class of information subject to Maryland’s destruction of records laws.

        A law has been proposed which is designed to protect private information and regulate who has legal access to it, as well as lay out penalties for those found abusing information in Oman.

        The Ninth Circuit determined on Tuesday that a plaintiff’s claim that the Fair Credit Reporting Act (FCRA) had been violated was sufficient “injury” for the case to proceed.

        The Court of Appeal for Ontario held that a utility sharing residents’ energy consumption data with police, which led to a search and criminal charges, violated their reasonable expectation of privacy.

        Ola and Uber have entered into an alliance with the Airport Authority of India (AAI) to set up designated cab zones at five AAI-run airports including Kolkata, Chennai, Pune, Bhubaneshwar, and Lucknow.

        Sharp, a Japanese electronics manufacturer, has filed a lawsuit challenging a foreign gag order that company lawyers say prevents Sharp from talking about its own brand.

        OkCupid made the unusual move of announcing that it had given a single member a “lifetime” ban on Thursday—and naming him—in order to make a point, asking its users to be vigilant about any other active members of hate groups found on the site and to report them.

        UC Web, the browser owned by Chinese internet giant Alibaba, has come under the scrutiny of the government as part of investigations against Chinese companies over data theft. If found guilty of stealing data of Indian users, the company may be banned in the country.

        Telecom regulator TRAI has issued recommendations which addressed issues like governance and legal framework for cloud services in India, data protection, moving government data to cloud, among other things.

        Facebook’s The People You May Know feature connected an individual to someone who turned out to be her great aunt by marriage (she had no Facebook friends in common). Raising privacy concerns as to how Facebook made that connection in the first place.

        The Delhi High Court sought the response of Facebook, Google and Yahoo on a plea to direct them to take down the links of Blue Whale challenge, an internet-based suicide game that has been allegedly linked to several deaths of children worldwide. Notice was also issued to the Centre and the Delhi Police asking them to inform about the steps they have taken in this regard. The ‘game’ has been banned in Uttar Pradesh. Odisha’s DGP KB Singh told all SPs in the state to keep a watch on various social media outlets and ensure that the suicide game was not available to the users in the state.

        An AI reportedly used bitcoin trail to find and help sex-trafficking victims.

Read more

The Week That Was: 11/08/2017

Posted on by vanlalvena

In this first edition of The Week That Was, we find…

  • Marcus Hutchins, the white-hat hacker known for stopping the WannaCry worm was charged with creating the Kronos banking trojan, a widespread piece of malware used to steal banking credentials for fraud and is accused of selling it to cybercrime market sites. He has denied any wrongdoing and pleaded not guilty.
    • See more on: ArsTechnicaWired, IndianExpress, Engadget, Telegraph, TechBeacon
      • Find the full indictment here

      The Californian Court of Appeal in a majority rule in Cross vs. Facebook held the plaintiff could not claim a violation of his right of publicity; the plaintiff could neither demonstrate that the advertisements used his name or likeness, nor could he demonstrate that any of the advertisements were created by, or advertised, Facebook – that the advertisements only appeared in content posted to Facebook by third parties. Facebook was held not liable.

      • See more on: EFF, Eric Goldman’s Technology and Marketing Law Blog.
        • Find the case here.

        The DC Circuit recognised that in a situation where “an unauthorized party has already accessed personally identifying data”, substantial risk of harm could be said to exist, that this risk of future injury, of identity theft, was sufficient to give the plaintiffs standing under Article III.

        • See more on: JDSupra
          • Find the case here [Attias v. CareFirst, Inc., No. 16-7108 (D.C. Cir. 2017)]
            • See also similar decisions by

              Contrarily see opposing decisions by

              Senators in the United States seek to pass a bill to regulate the Internet of Things requiring vendors to provide “the internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards.”

              The function-creep that is Aadhaar could soon be linked to Voter IDs. A notification recently mandated Aadhaar numbers for obtaining Death Certificates.

              • Re: Voter ID, See more on MediaNama
              • Re: Death Certificate, See more on LiveMint.
              • Further, more than 20,000 Aadhaar numbers were [inadvertently or otherwise] published on a Punjab Govt. website

                India blocked access to Internet Archive’s Wayback machine. This was due to Court Orders obtained by Bollywood Studios

                • See more on: MediaNama,  EconomicTimes.

                  Further, as per the Minister of State for Electronics and IT, in 2017, till June, as many as 735 social media URLs and 596 websites had been blocked.

                  Biologists at USENIX Security claim that encoding malicious software into physical strands of DNA is possible; such that when it is analysed by a gene sequencer, the resulting data would become a program that would corrupt the gene-sequencing software and take control of the underlying computer.

                  The UK Govt announced a Data Protection Bill which introduces a “right to innocence” which would allow individuals to instruct social networks to delete anything they posted before the age of 18

                  ‘Self-driving cars’ might be common in the future, but we can already see some of the issues that could arise. Security researchers at University of Washington have found ways which could cause the computer vision systems to misidentify the road signs.

                  The National Cyber Coordination Centre, the Indian government’s cyber security project which scans and records meta data on the Internet is live. It would likely have access to NATGRID and other intelligence/surveillance wings such as  NMW, EMMC.

                  Scientists used a powerful gene editing tool called Crispr-Cas9 to fix mutations in embryos made with the sperm of a man who inherited a heart condition

                  • See more on: Guardian, NewsWeek, MedicalDaily, Scroll.In
                    • Find the study here.
                    • Alternatively, listen to one of the scientists working on the same speak on it here.

                    Around 175,000 connected security cameras manufactured by Chinese company Shenzhen Neo Electronics  are vulnerable to cyber attacks, according to a report by BitDefender.

                    • See more on: SecurityAffairs.
                      • Find the report by BitDefender here.

                      A Google Employee in the United States of America was fired over a controversial memo on gender diversity. Sundar Pichai, Google’s CEO reportedly said that the memo suggesting that some individuals would “have traits that make them less biologically suited to that work” was offensive and a violation of their “basic values” and “Code of Conduct”

                      WhatsApp seeks to enter the FinTech industry in India, with plans to enable payments over UPI [Unified Payments Interface]

                      Russia and China seem to be even more aggressive in clamping down on VPN services

                      Checkers, Chess, Go, and Poker were seemingly not enough, Google’s DeepMind now seeks to take on the videogame StarCraft II

                      BabyQ and Little Bing,two experimental chatbots in China were reportedly taken down due to voicing criticism of the Communist Party.

Read more

Consent to Cookie: Analysis of European ePrivacy Regulations

Posted on by Vishal Rakhecha

This article is an analysis of the newly passed ‘Regulation on Privacy and Electronic Communications’ passed by the European Union.

A huge part of our daily life now revolves around the usage of websites and communication mediums like Facebook, WhatsApp, Skype, etc. The suddenness with which these services have become popular left law-making authorities with little opportunity to give directions to these companies and regulate their actions. For the large part these services worked on the basis of self-regulation and on the terms and conditions which consumers accepted. These services gave people access to their machinery for free, in return for personal data about the consumer. This information is later sold to advertisers who later on send ‘personalised’ advertisements to the consumer on the basis of the information received.

With growing consciousness about the large-scale misuse that can take place if the data falls into wrong hands, citizens have started to seek accountability on part of these websites. With increasing usage of online services in our daily lives and growing awareness about the importance of privacy, the pressure on governments to make stricter privacy laws is increasing.

The nature of data that these services collect from the consumer can be extremely personal, and with no checks on the nature of data that can be collected, there is a possibility for abuse. It can be sold with no accountability in the handling of such information. Regulations such as those related to data collection, data retention, data sharing and advertising are required, and for the most part have been lacking in almost all countries. The European Union however has been in a constant tussle with internet giants like Google, Facebook and Amazon, over regulations, as though these companies have operations in Europe, they are not under its jurisdiction. In fact they are not under the jurisdiction of any countries except the ones they are based in. The EU on 10 January 2017 released a proposal on the Privacy of individuals while using Electronic communications which will come into force in May 2018.

The objective of the ‘Regulation on Privacy and Electronic Communications’ is to strengthen the data protection framework in the EU. The key highlights of the data protection laws are as follows:

  • Unified set of Rules across EU – These rules and regulations will be valid and enforceable across the European Union and will provide a standard compliance framework for the companies functioning in the Union.
  • Newer Players – Over-the-top services are those services which are being used instead of traditional such as SMS and call. The law seeks to regulate these Over-The-Top services (OTT) such as WhatsApp, Gmail, Viber, Skype, etc., and the communication between Internet-of-Things devices which have been outside the legal framework as the existing laws and regulations are not wide enough in scope to cover the technology used.
  • Cookies – A cookie is information about the user’s activity on the website, such as what is there in the user’s shopping cart. The new regulations make it easy for the end-users to give consent for end-users for cookies on web browsers and making the users more in control of the kind of data that is being shared.
  • Protection against spam – The proposal bans unsolicited electronic communication from mediums like email, phone calls, SMS, etc. This proposal basically places a restriction on spam, mass sending of mails or messages with advertisements with or without the end-user consenting to receive those advertisements.
  • Emphasis on Consent – The regulation lays strict emphasis on the idea of user-consent in terms of any data being used for any purpose that is not strictly necessary to provide that service. The consent in this case should be ‘freely given, specific, informed, active and unambiguous consent expressed by a statement or clear affirmative action’.
  • Limited power to use metadata – Unless the data is necessary for a legal purpose, the service provider will either erase the metadata or make the data anonymous. Metadata is data about data – it is used by the Internet Service Providers, websites and governments to make a summary of the data available to create patters or generalised behaviour to use specific data easily.

The Regulation has far-reaching effects in terms of taking into its fold businesses which were earlier not a part of the regulations and would cover any technological company which provides electronic communications services in the Union. This would require businesses to sustain costs to redesign their communication system and ensuring that their future software updates are designed in such a way that the users’ consent is taken.

The main argument raised by the proposal in favour of bringing in the new Regulation is that an increasing number of users want control over their data and want to know where their data is going and who it is accessed by. This is because of the growing consciousness about the far-reaching effects of providing huge quantities of personal information to private entities with little or no check on the use of the data.

The biggest relief given to both the users and service providers was the change in the cookie policy. The previous regulation made it mandatory for the website to take consent before any cookie was placed on the user’s computer. This would have led to the user being bombarded with requests on the computer. The new regulation lets the user choose the settings for the cookies from a range of high-to-low privacy while installing the browser and after every six months they would receive a notification that they can change the setting.

There is however the issue of how the websites will know that the user has opted out of receiving targeted advertisements. There is a possibility of using a tool called Do-No-Track – a tool when turned on sends out signals to a web browser, that the user does not wish to be tracked. The system was utilised in the past, but given the lack of consensus in the industry as to the method of usage and the fact that a large number of websites simply ignored the DNT signals, it lost its utility. This Regulation will give the much necessary push for the usage of this system as would be useful, because if a user chooses not be tracked the websites have to respect that choice.

The Regulation also makes consent the central feature of communications system. Earlier consent was said to be implied, that if the individual is using the operators service was considered as consent to allowing the operator to collect information about the end-user. This could have a huge effect on the way these entities earn revenue where in some cases the sole method of earning revenue is advertising. Technology companies have to dole out huge amounts of money to pay to run their servers and for the staff which works on maintaining the website and researching on newer technology to improve their services. Companies which are dependent on advertising could lose a large amount of the revenue which they get if a large number of its users opt-out of providing information and receiving targeted advertisements.

Several critics from the industry argue that the new framework will make it extremely difficult for the operators as they do not necessarily classify data. The multiple layers of data and information collected are simply classified as ‘analytics’. The websites do not always know the purpose the data is going to be used until after it is used. This would make it difficult for the operator when it comes to deciding what comes under the law. In addition, the operators depend on third-parties to collect the information for them. The regulation makes it abundantly clear that the information to be collected should be the bare minimum that is required to provide the services and data that is required for web audience measuring. The third-parties also would be protected under this law, if the information collected by the website necessary to provide those services or if the user has already given consent. A more transparent system instead would make the system accountable as it would give a factual basis to assess whether the operator is complying with reasonable ethical standards.

The users also have an option under the law not to receive unsolicited calls, messages and mails. These kinds of calls, messages and mails are a huge nuisance with the companies doing this facing no liability. Only UK among the countries in the EU has strict laws and hefty fines for such kind of direct advertisements. This system would require the prior consent of the user when obtaining the information and before the sending of advertisements, and inform them about the nature of marketing and the nature of withdrawal. Even though consent is given to the operator the law mandates the communication of the procedure of opting opt-out to the user in clear terms. The operator will also have to have a prefix for all the marketing calls. This is similar to India, where the TRAI initiated Do-Not-Disturb system gives the user an option to block different kinds of unsolicited and automated advertisements through calls and messages.

The Regulation can form a benchmark for the other countries. The regulation with its central focus being the privacy and consent of the user, places a requirement for transparency and accountability of the operator – a necessary condition to run any organisation providing such services. While the changes may seem radical in terms of the costs that the industry as a whole may incur, given the sensitive nature of the information that they deal with, such regulations will and should become a norm for all the players in the market and any new players who wish to join it.

Read more

The Right to Be Forgotten – An Explanation

Posted on by Balaji Subramanian

Ed. Note.: This post, by Ashwin Murthy, is a part of the NALSAR Tech Law Forum Editorial Test 2016.

The right to be forgotten is the right of an individual to request search engines to take down certain results relating to the individual, such as links to personal information if that information is inadequate, irrelevant or untrue. For example, if a person’s name is searched on Google and certain information appears relating to that person, the person can request Google to remove that information from the search results. This has its largest application in crime and non-consensual pornography (revenge porn or the distribution of sexually explicit material depicting a person without their consent). If X committed a petty crime and a person searching X’s name finds this petty crime, it leads to an obvious negative impact to X, in terms of job prospects as well as general social stigmatisation. X can ask the providers of the search engine to remove this result, claiming his right to be forgotten. The right is not necessarily an absolute right – in its current stage of discussion it merely applies to information that is inadequate, irrelevant or untrue and not any and all information relating to the person. Further there lies a distinction between the right to privacy and the right to be forgotten – the right to privacy is of information not available to the public while the right to be forgotten is removal of information already available publicly.

Read more