Kill the Kill Switch

The internet has grown from being just a communication medium to becoming a marketplace, an entertainment source, a news centre, and much more. At any given moment, there are thousands of gigabytes of information travelling across the planet. But all of this comes to a standstill when the internet shuts down. An internet shutdown is a government-enforced blanket restriction on the use of internet in a region for a particular period of time. The reasons vary from a law and order situation to a dignitary visiting the place. There is a requirement for an analysis into whether such shutdowns can be justified, even on the direst of grounds.

These shutdowns can be initiated with little effort, as far as the authorities are concerned, because the Internet Service Providers (ISPs) do not hesitate to follow government ‘directives’. The justifications provided by them can range from being possibly reasonable to being absurd. For example, in February, the Gujarat government blocked mobile internet services across the state because the Gujarat State Subsidiary Selection Board was conducting exams to recruit revenue accountants. This was done given the “sensitive nature of the exam” and that it was “necessary to do so to prevent misuse of mobile phones.” This step is very clearly disproportional in terms of actions and effects. There are other methods through which the exam officials can stop malpractice in exams, with stopping mobile internet over the entire state being not only inefficient, but also highly disruptive to the general populace. This distinction as to whether the step is proportional gets complicated when the government justifies shutting down the internet on grounds of law and order situations or national security.

Before we answer these questions, we need to first probe into the very foundation on which a democracy functions – discourse. The very nature of democratic discourse necessitates the need to have information. When there is lack of information, public discourse loses its functionality, as the participants’ understanding will not be enough to provide targeted solutions to the specific problems to be addressed. The internet has now become one of the most important mediums for information dissemination, with the ability to provide ground level data about the people where the conventional media cannot enter or does not want to. It acts as a medium for those sections of the society, which are normally outside the purview of the mainstream, to be able to raise their voice for general public to hear. By virtue of this, it becomes an important tool in furtherance of the democratic process – the right of free speech and expression. Keeping this extremely important function of the internet in mind we can now analyse the problem of internet shutdowns.

The following questions must be answered to even consider shutting down the internet: first, whether the problem is so huge that it becomes necessary to take such an extreme step; second, whether the government has considered other alternatives, even if the problem is big enough; third, whether the functioning of a major communication channel will benefit or harm the general population and; fourth, whether there are enough safeguards to ensure that the government does not abuse this power that has been provided.

The concept of shutdowns even when there is a valid justification can be problematic. When the unruly sections are using a few limited channels to spread hate and rumours the government can shut down those specific channels and contain the situation instead of shutting the entire internet accessability down, which affects the businesses and lives of millions of innocent parties. This also reduces the collateral damage that can take place from shutting down websites which are harmless or even more tangibly systems which banks run on. Despite all of this if a blanket restriction is required, the question arises as to who should be able to put it. Section 144 of the Criminal Procedure Code has been employed here, however its validity has been called into question multiple times.

There are enormous free speech implications of not letting people make use of an important communication channel. Earlier the conventional media were the sole sources of information for the general public, making them the gatekeepers of information. These organisations though free to a great extent can be influenced by the government to not attack it directly or not report certain atrocities by instilling a fear of some sort of sanction. With the advent of internet enabled communication channels, each and every individual could contribute to the broader pool of information. By shutting down the internet, the government is cutting off the information at the source about the situation. This leads to concerns related to accountability as there is little ground-level data about the atrocities or any excessive use of force used by the law enforcement authorities.

Furthermore, when there is a law and order, for example in cases in Gujarat government shut down during the Patidar movement situation it becomes very important that the people do not get misled by fake news and rumours, and the internet could prove to be a very useful tool to fight fire with fire. The government can use the same channels to reach out to the public and reduce the amount of confusion. For example, during the Cauvery Riots the Bangalore City Police effectively used Twitter and Facebook to dispel rumours and instil a sense of security among the people. Not letting an average citizen participate and engage with the other individuals and the state during tough times further alienates them. The safety of the loved ones during these situations is the top most priority of the general populace. The internet serves as a medium to communicate with them and during internet shutdowns the access to this is cut off. This only leads to further chaos and unrest, and thus shutting down accessibility is counterproductive.

One of the most significant and tangible damages that the blocking of internet does is to business establishments. According to Brookings institute, the damage that is done due to internet shutdowns is $968 million from July 2015 to June 2016 in India. Banks  are largely dependent on the internet to conduct their daily transactions, and face massive problems during a shutdown. The infrastructure that is required in using debit and credit cards, ATM’s and internet banking work on the power on internet. In addition, this affects the brick-and-mortar stores as a significant number of them have started to move towards using digital payment modes post demonetisation. Needless to say, the most immediate impact is faced by e-commerce websites who by the very nature of their activities are reliant on internet.

There is also a more insidious side to this. When an easier measure like cutting access to a communication medium is used to address a broader societal complication, it is only a surface level step of cutting off of engagement on that issue. The move of shutting down the internet is only a highly publicised step, which makes it seem like the shutdown is a part of a bigger set of measures being used to tackle the situation. This creates an illusion where the actual problem continues to persist.  The state will continue to use only coercive power to deal with it. Targeted measures which would provide for much better long-term solution are not taken into consideration due to lack of political will or simply lethargy on the part of establishment. In addition, this points to the wider issue of a lack of understanding both of the actual issues at hand and the manner in which the internet works, in terms of how interconnected the populace is with the internet and thus the effect it has on the entire society.

As more and more people start joining the internet and the government starts pushing towards a digitised economy, it becomes all the more necessary to not shut the internet down. The local, state and national governments need to take responsibility for public disorder and engage with the issue at hand. The state needs to start balancing the interests of national security and also protection of individual rights.

The Internet Freedom Foundation has  launched a campaign to address this very issue- support them by going to keepusonline.in and signing the petition for the government to make regulations, so as to reduce arbitrariness while imposing these shutdowns.

Consent to Cookie: Analysis of European ePrivacy Regulations

This article is an analysis of the newly passed ‘Regulation on Privacy and Electronic Communications’ passed by the European Union.

A huge part of our daily life now revolves around the usage of websites and communication mediums like Facebook, WhatsApp, Skype, etc. The suddenness with which these services have become popular left law-making authorities with little opportunity to give directions to these companies and regulate their actions. For the large part these services worked on the basis of self-regulation and on the terms and conditions which consumers accepted. These services gave people access to their machinery for free, in return for personal data about the consumer. This information is later sold to advertisers who later on send ‘personalised’ advertisements to the consumer on the basis of the information received.

With growing consciousness about the large-scale misuse that can take place if the data falls into wrong hands, citizens have started to seek accountability on part of these websites. With increasing usage of online services in our daily lives and growing awareness about the importance of privacy, the pressure on governments to make stricter privacy laws is increasing.

The nature of data that these services collect from the consumer can be extremely personal, and with no checks on the nature of data that can be collected, there is a possibility for abuse. It can be sold with no accountability in the handling of such information. Regulations such as those related to data collection, data retention, data sharing and advertising are required, and for the most part have been lacking in almost all countries. The European Union however has been in a constant tussle with internet giants like Google, Facebook and Amazon, over regulations, as though these companies have operations in Europe, they are not under its jurisdiction. In fact they are not under the jurisdiction of any countries except the ones they are based in. The EU on 10 January 2017 released a proposal on the Privacy of individuals while using Electronic communications which will come into force in May 2018.

The objective of the ‘Regulation on Privacy and Electronic Communications’ is to strengthen the data protection framework in the EU. The key highlights of the data protection laws are as follows:

• Unified set of Rules across EU – These rules and regulations will be valid and enforceable across the European Union and will provide a standard compliance framework for the companies functioning in the Union.
• Newer Players – Over-the-top services are those services which are being used instead of traditional such as SMS and call. The law seeks to regulate these Over-The-Top services (OTT) such as WhatsApp, Gmail, Viber, Skype, etc., and the communication between Internet-of-Things devices which have been outside the legal framework as the existing laws and regulations are not wide enough in scope to cover the technology used.
• Cookies – A cookie is information about the user’s activity on the website, such as what is there in the user’s shopping cart. The new regulations make it easy for the end-users to give consent for end-users for cookies on web browsers and making the users more in control of the kind of data that is being shared.
• Protection against spam – The proposal bans unsolicited electronic communication from mediums like email, phone calls, SMS, etc. This proposal basically places a restriction on spam, mass sending of mails or messages with advertisements with or without the end-user consenting to receive those advertisements.
• Emphasis on Consent – The regulation lays strict emphasis on the idea of user-consent in terms of any data being used for any purpose that is not strictly necessary to provide that service. The consent in this case should be ‘freely given, specific, informed, active and unambiguous consent expressed by a statement or clear affirmative action’.
• Limited power to use metadata – Unless the data is necessary for a legal purpose, the service provider will either erase the metadata or make the data anonymous. Metadata is data about data – it is used by the Internet Service Providers, websites and governments to make a summary of the data available to create patters or generalised behaviour to use specific data easily.

The Regulation has far-reaching effects in terms of taking into its fold businesses which were earlier not a part of the regulations and would cover any technological company which provides electronic communications services in the Union. This would require businesses to sustain costs to redesign their communication system and ensuring that their future software updates are designed in such a way that the users’ consent is taken.

The main argument raised by the proposal in favour of bringing in the new Regulation is that an increasing number of users want control over their data and want to know where their data is going and who it is accessed by. This is because of the growing consciousness about the far-reaching effects of providing huge quantities of personal information to private entities with little or no check on the use of the data.

The biggest relief given to both the users and service providers was the change in the cookie policy. The previous regulation made it mandatory for the website to take consent before any cookie was placed on the user’s computer. This would have led to the user being bombarded with requests on the computer. The new regulation lets the user choose the settings for the cookies from a range of high-to-low privacy while installing the browser and after every six months they would receive a notification that they can change the setting.

There is however the issue of how the websites will know that the user has opted out of receiving targeted advertisements. There is a possibility of using a tool called Do-No-Track – a tool when turned on sends out signals to a web browser, that the user does not wish to be tracked. The system was utilised in the past, but given the lack of consensus in the industry as to the method of usage and the fact that a large number of websites simply ignored the DNT signals, it lost its utility. This Regulation will give the much necessary push for the usage of this system as would be useful, because if a user chooses not be tracked the websites have to respect that choice.

The Regulation also makes consent the central feature of communications system. Earlier consent was said to be implied, that if the individual is using the operators service was considered as consent to allowing the operator to collect information about the end-user. This could have a huge effect on the way these entities earn revenue where in some cases the sole method of earning revenue is advertising. Technology companies have to dole out huge amounts of money to pay to run their servers and for the staff which works on maintaining the website and researching on newer technology to improve their services. Companies which are dependent on advertising could lose a large amount of the revenue which they get if a large number of its users opt-out of providing information and receiving targeted advertisements.

Several critics from the industry argue that the new framework will make it extremely difficult for the operators as they do not necessarily classify data. The multiple layers of data and information collected are simply classified as ‘analytics’. The websites do not always know the purpose the data is going to be used until after it is used. This would make it difficult for the operator when it comes to deciding what comes under the law. In addition, the operators depend on third-parties to collect the information for them. The regulation makes it abundantly clear that the information to be collected should be the bare minimum that is required to provide the services and data that is required for web audience measuring. The third-parties also would be protected under this law, if the information collected by the website necessary to provide those services or if the user has already given consent. A more transparent system instead would make the system accountable as it would give a factual basis to assess whether the operator is complying with reasonable ethical standards.

The users also have an option under the law not to receive unsolicited calls, messages and mails. These kinds of calls, messages and mails are a huge nuisance with the companies doing this facing no liability. Only UK among the countries in the EU has strict laws and hefty fines for such kind of direct advertisements. This system would require the prior consent of the user when obtaining the information and before the sending of advertisements, and inform them about the nature of marketing and the nature of withdrawal. Even though consent is given to the operator the law mandates the communication of the procedure of opting opt-out to the user in clear terms. The operator will also have to have a prefix for all the marketing calls. This is similar to India, where the TRAI initiated Do-Not-Disturb system gives the user an option to block different kinds of unsolicited and automated advertisements through calls and messages.

The Regulation can form a benchmark for the other countries. The regulation with its central focus being the privacy and consent of the user, places a requirement for transparency and accountability of the operator – a necessary condition to run any organisation providing such services. While the changes may seem radical in terms of the costs that the industry as a whole may incur, given the sensitive nature of the information that they deal with, such regulations will and should become a norm for all the players in the market and any new players who wish to join it.

Fake News and Its Follies

Fake news may seem to be very innocuous and in fact might not seem to cause much harm to anyone or have any real-world consequences. Fake news is a phenomenon where a few individuals, sites and online portals create or/and share pieces of information either completely false or cherry-picked from real incidents with the intention to mislead the general public or gain publicity. We all have at least once received a message on WhatsApp groups or on Twitter or on Facebook saying things like – Jana Gana Mana received ‘best national anthem’ award from UNESCO, or that the new Rs 2000 notes have a GPS enabled chip, or that Narendra Modi has been selected as the Best PM in the world by UNESCO. These apparently harmless rumours have done little more than made Twitter trolls target unsuspecting individuals, sometimes even well-known people.

This problem of ‘fake news’ has led to some very tangible damage in today’s world, such as, the recent rumour in Uttar Pradesh and surrounding areas, that there was a severe shortage of salt. The price of salt which was otherwise about Rs 20/kg, shot up to Rs 250/kg and in some cases to Rs 400/kg. The police had to resort to riot control and raids in multiple places to prevent looting and hoarding. The situation blew up to such a great extent that the state’s Chief Minister had to come out with a statement that there was adequate quantity of salt available.

Spreading false information for personal gain is not a new phenomenon, but with the growth of social media and other easily accessible news portals, the reach of the same has reached new heights. This concept came to the forefront given the amount of misinformation propagated by both the sides in Brexit and US presidential elections. This has grown to such a great extent that Oxford Dictionary selected ‘post-truth’ as the word of the year. In a post-truth society, individuals/groups are easily able to influence public opinion for or against their beliefs by posting false and incorrect information online (and probably even get paid for it).

There is a fundamental reason as to why fake-news is bad, it makes it tougher for the individuals to trust established institutions. The relationship between media and citizens is that of trust, the people expect the news portals to be honest and unbiased in their reporting. But, when they are constantly exposed to increasing amount of misinformation and hoaxes, they start losing the faith they have in these institutions. What this does is create a smoke-screen, through which people are not able to see and, judge or reach a definitive conclusion as to what is to be believed and what is not to be believed.

Though there is no set legal provision in India dealing with the problem of fake-news, the closest law the country has that deals with some sort of misinformation being spread is the defamation law. But even the validity of defamation law has been called into question, though the criminal defamation law has been upheld by the SC. It has been stated by critics that the law is being used by the establishment to curb the rights of individuals who question the actions of the governments or its leaders. Sites like Facebook, Reddit, Twitter, etc., can be classified as intermediaries and are the primary sources of fake news. Intermediary liability deals with the liability which can be placed upon such sites, and is dealt with under the IT Act. The provisions under this Act however are not adequate to deal with the issue of fake news. This is because intermediaries are only liable for breaches in privacy of the end-users and not for spread of misinformation.

There are a few other countries which have laws which deal with the subject of misinformation. Germany has mandated Facebook to maintain a 24/7 functioning Legal Protection Office in Germany. This department would take complaints from victims to them and the department would have to initiate an investigation and resolve the issue. If after 24 hours, the department fails to take any action, the company will be charged 500,000 euros (Rs 3,60,00,000) per day the news is left online. China had in 2013 made stringent rules against rumour-mongering. Indonesia has also set up a National Cyber Agency which would deal with content that the agency thinks are ‘slanderous, fake, misleading and spread hate’.

There is a possibility that there could be a chilling effect on the freedom of free speech and expression,  Facebook for example as a corporate entity will in trying to avoid the fine, block any sort of information which comes into question. This is because there is no accountability on the actions in this case. In the cases of China and Indonesia, the governments become the sole deciders of what truth constitutes and anything which they do not want the public to know or any information which is against the establishment’s viewpoint would be labelled as ‘fake’.

The promulgation of fake news has brought into focus the role of sites like Facebook, Twitter, Reddit, etc., which have becoming one of the major sources of news consumption in the developed world. Several analysts have blamed sites like Facebook for the absolute lack of accountability these sites have in dealing with the problem of misinformation spreading on their portals. Then again, moves taken by Facebook and Reddit have been questioned by free speech activists.

This problem of fake news actively being shared and the consequent need to set up regulations to counter this flow by social media outlets and the like raises some serious ethical and legal questions, including whether corporate entities like Facebook, Reddit, Google, etc., should be given a free hand in blocking or blacklisting ‘fake news’, whether the government should step up and actively take a part in stopping fake news and whether the benefits of checking the spread of misinformation are valuable enough to censor any sort of ‘suspected’ news. As of now most laws have still not adapted towards tackling these issues, however there has been a slowly shifting trend towards dealing with the same.