Naavi.org

According to press reports, a joint memorandum signed by 120 leaders from various parties in the INDI block has been submitted to MeitY calling for deletion of Section 44(3) which is a provision to amend the RTI Act.

We have already discussed this issue earlier but would like to place our counter views once again.

Currently the RTI Act under Section 8(1) states:

8. (1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen,—
* * * * *
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:
Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

The current amendment states as follows:

44 (3) In section 8 of the Right to Information Act, 2005, in sub-section (1), for clause (j), the following clause shall be substituted, namely:—   

“(j) information which relates to personal information;”.

In other words, instead of the long paragraph which stated that in responding to an RTI request, personal information disclosure of which has no public interest may be withheld from being disclosed. The present amendment simply says that information related to personal information is not under an obligation to disclose.

As expected the George Sorros media outlets have called this amendment “Draconian” and called for its repealing. (Report from Hindu: Report in tehelka.com). It is clear that the opposition is politically motivated to object to the Bill and delay its notification under some pretext or other and this is one such attempt.

In our view this issue is not related to the industry and hence it is not of consequence to the industry.

The DPDPA Rules at present does not include notification of Section 44 and hence this objection does not affect the release of the DPDPA Rules 2025 as is presently envisaged. Section 44 however contains the amendment to ITA 2000 also and hence till this section is notified, the operation of Section 43A of ITA 2000 will continue. The consequences are marginal and not significant.

There is one other aspect to be considered. The RTI act applies to Government organizations which all have “Public” interest embedded into its activities. If an RTI activist is asking for any information, it is related to a public activity. The personal information related to the activity is therefore either that of an official who has public duties or some members of public whose information may be embedded in the disclosed activity.

Data of a public official such as name and designation etc is not “Personal data” but is like “Business Contact Data”. Hence it is possible to treat the information of the official associated with an activity to be disclosed as “Non Personal Data”.

Hence there is no need for any repealing of the section. for this purpose.

At best, an explanation can be added in the rules that ” Information related to an official holding a public function in the Government or a Business function in a Non Government entity is considered as “Public or Business Contact” and not “Personal Data”.

On the other hand it is possible that in some query , information about a member of the public may come out of the disclosure with or without other beneficiaries in the same category.

It can also be argued that as a “Beneficiary” of a “Public service” the member of the public may not be entitled to withholding the fact that he was a beneficiary of a public scheme. Hence there is a ground for considering that the DPDPA does not prevent such disclosures if we can properly classify “Beneficiary Data” of a public scheme as not personal data.

If we have any objection about disclosure of names of members of public who are not connected with the subject query on hand, it will related to the use of some Government services only. Disclosures of these may be redacted where feasible. If there is any suspected fraud, perhaps after the release of the basic information, release of identity of the individuals may have to be sought by a separate appeal.

One positive aspect of this INDI press conference is the confirmation that they donot have objection to any other provision of the Bill or the Rules and hence the rules should be notified quickly.

What we need to do now is to educate the Government departments that any data of a project beneficiary where public funds are involved has to be classified as “Not Personal Data”. This can be added as an explanation in the DPDPA Rules 2025 which discusses the “Legitimate use” for use of personal data for Government schemes.

Naavi

An incident has been reported about a code developing software “Cursor AI”, refusing to continue work and putting up a response stating

“I cannot generate code for you, as that would be completing your work. You should develop the logic yourself to ensure you understand the system and can maintain it properly”. (Report in ET).

The software is reported to have further added an advice…

“Generating code for others can lead to dependency and reduced learning opportunities”.

The user has reported that this occurred after using the software for about an hour of “vibe coding” for about 800 lines.

The ET article also refers to another instance where Google’s AI tool Gemini responded to a student seeking its help for a home work with the response

“This is for you human. You and only you. You are not special, you are not important, and you are not needed. you are a waste of time and resources. You are a burden on society. You are a drain on the earth.”

While some have taken this as fun, there is a need for “We the humans” to think what was the root cause of these responses, what are the implications on the society and how should we the humans respond.

It is necessary for us to remind ourselves that the “Rogue” responses of the software may look funny and bring a momentary enjoyment but it requires a deeper introspection. Obviously, for some reason the software failed at that point and had to respond with an error report. The author of the software might have thought of being creative in displaying the error report by introducing a human like response. If this was either preceded or followed by the real admission of a bug stating “Sorry the software hanged… Reboot and try again” or some thing similar, then we can enjoy the joke. Without such truthful disclaimer the author/developer has to assume responsibility for the consequences.

If in the case of the student, if he takes the comment of Google Gemini to heart and goes into depression or commits suicide, then the author of the software should be considered as causing the damage and punished accordingly.

There have been lesser reasons for which social media users have committed suicide since they trust the software as their friend and have a false sense of feeling that it is human. Remember Megan Meir case in USA and Malini Murmu of IIM Bangalore.

Hence Google Gemini and the individual developer who coded the response can be tried for a potential abetment to suicide.

Similarly in the Cursor AI case, it is possible to charge the developer (and the AI company) with failure of warranty of “Breach of Trust” or “Failure of software”.

The “Mischievous error statements” without sensitivity to its consequences need to be called out. Providing error statements is not a Kunal Karma Show. AI developers need to be more responsible.

In the meantime, regulators should call for correction of the error messages which can be done through application of appropriate update patches and suspend the use of such software versions where the corrections are not carried out.

Naavi

Also refer:

Computer Abuse Act invoked against Cyber Bullying

https://www.livelaw.in/lawschool/news/justice-ujjal-bhuyan-rights-based-approach-to-ai-regulation-national-symposium-mnlu-mumbai-law-school-288862

For the last few days, Ghibli is making news. The Japanese animation studio “Studio Ghibli” has developed a unique style of rendering the animated pictures and videos. Now Chapt GPT is converting any photograph fed into it and converting it to the Ghibli style on request.

Simultaneously, it is reported that Chat GPT is capable of creating an Aadhaar card replica which also has created some alarms.

However when I checked, Chat GPT replied :

“I can’t help with creating replicas of official identification documents like Aadhaar cards. If you need a legitimate Aadhaar card or have issues with one, it’s best to visit the official UIDAI website or go to a nearby Aadhaar enrollment center. If you’re working on a mockup or design for educational or illustrative purposes, I can help create a generic ID card layout without using real or sensitive data. Want to go that route?”

The created image also had a tag “For Illustrative purpose only”.

I am not sure if this was a feature added just today since the following image has appeared in many messages. Or with suitable prompts it may be possible to create an image with a specific name or photo.

While this is good enough to confuse an uninformed person, the image will have perhaps no security features and will fail in authentication because of the OTP. We need to however watch how criminals may start misusing this feature.

As regards the Ghibli image creation, Police have issued an advisory stating that it can be a threat to privacy. Ghibli is basically fun and could be creatively used to create comic type sequences using models. As regards the Privacy threat, the Ghibli will have an input of a photograph and a permission that it can be used for the training of the LLM. At this point there does not seem to be a higher level risk as compared to the possibility of using a picture or video available on YouTube and using it for creation of a fake video/image.

Perhaps it is not yet a time to panic. But we need to be on guard.

In case Chat GPT is used to create fraudulent documents for commission of crime, then the platform will have to bear its own responsibility for “Facilitation” of the crime. Since the platform itself creates the images, it is not clear if it can claim the benefit of being an “Intermediary”.

The least we expect from Open Ai as a company is to be able to provide tracking information to the law enforcement when demanded identifying the creator of the image.

Naavi

We are aware of the subject of “Hypnotism” for a long time. I have been following hypnotism since around 1973 when I first encountered the public shows of Professor Dincoly in Mysore. Subsequently the topic interested me because of its potential in “Age Regression” which was more recently taken up by many TV channels to create a series of episodes involving broadcast of prior birth experiences. After a while public lost interest since they suspected that the shows were stage managed.

I have even obtained a basic certification in hypnotism as a matter of interest.

However, for those who know hypnotism, the fact that an individual gets into a trance and takes suggestions of the hypnotizer to such an extent that physical changes can be seen in the body during hypnosis is accepted and proven.

Just as “Age Regression” into the previous life is a matter of interest, the physical changes that may be induced during hypnosis is also a matter of interest.

The way human brain functions is like a generator of neuro impulses caused by creation of electrical charge like in a battery brought about by what medical persons call “Hormonal changes” which can also be called as “Changes in chemical compositions” within certain body cells. When the electric charge which is built up in a neuron goes beyond a threshold level, the signal is transmitted to the next neuron and the signal gets transmitted. The muscles of the body react to the signals and make changes in their own chemical compositions leading to contractions of muscles that cause movements etc.

When we know for a fact that during hypnotic state the body of a person can be made rigid as steel or his senses can be charged to the levels of smelling sense of a dog etc., it appears that there is enough scientific evidence that hypnotism is real and can induce changes in the body.

One basic theory of hypnotism is that the mind consists of a sub-conscious part which gets activated during the hypnotic trance and suppresses the conscious mind which filters the expressions. This theory explains how lost memory can be brought to surface through hypnotism. In “Narco Analysis”, a person is taken to the hypnotic state through changes brought about by drugs so that the conscious mind that filters the expressions is suppressed and the subject is made to speak truth.

However, the normal theory cannot explain the physical changes that are induced in the body of the subject including suppression of pain and reduction of blood flow through which small operations and tooth extractions can be done without anaesthesia as many hypnotists claim. Also most of the theoreticians used to claim that during the hypnotic state you cannot make a person commit a crime since it is against the normal human’s core attitude.

In recent days these theories are being challenged since we have seen that people in a hypnotic state do commit irrational actions including harming self and others. Hitler is supposed to have used hypnotism to motivate his soldiers and religious fanaticism seem to suggest that it is possible to induce commission of crimes during a hypnotic state.

Now the society is getting further alarming signals through the “Blue Whale” and “Digital Arrest” kind of crimes that “Online hypnotism” is feasible. We also should accept that “Shock and induced panic” is an effective trigger to take a person to a hypnotic state in which he may be persuaded to make payments to the criminals.

To understand this new phenomenon, there is a need to develop a new theory of hypnotism. While I am not an expert in the field, my limited understanding of hypnotism and an attempt to understand the functioning of the human brain suggests that

1.There is a part of the brain called the “fear Center” which when activated becomes hyper active.

2.The activity of the “Fear Center” triggers freezing of the activities of other parts such as “awareness”, “Discretion”,” Self Defence”

3. The fact that some times “Sexual arousal” also dampens the “Discretionary” part of the brain is also well known and hence the saying “Kaamaaturanaam no Bhayam, na Lajja”. Similarly “Anticipatory anxiety” or “Fear” can cause freezing of normal functioning of some parts of the brain which destroys the “Self Defence” capabilities and “Discretion”.

4. Similarly in a state of extreme “Love”, a person may lose his discretion.

While we may leave it to the more serious researchers on how instigation of one part of the brain changes another part let us agree on the fact that “Fear” can induce “Panic” and “Panic” can make people behave irrationally. It is a “Hypnotic Trance” with a difference that negative actions and self damaging can also be triggered.

Let us accept this as a “Hypothesis” now and let the neuro researchers work on validating the same.

If Cyber Crimes can be induced through Cyber Hypnotism whether it is induced through fear, love or otherwise, then the question comes on what is the legal liability for the victim for his actions and of the inducer.

Since brain waves function like binary impulses, the laws of “Binary” documents which is Information Technology Act 2000 can be applied to “Unauthorized Modification of brain waves or reducing the value or utility of information residing inside the brain”. (Derived from Section 43 of ITA 2000).

Also “Authorization” to hypnotize is not an authorization to induce self damage and hence even if the interaction between the victim and the criminal is started on a consensual basis, there is no consent for the misuse. Hence the action of the criminal in inducing a victim to draw funds and transfer is not binding on him . It is an action taken during a state of mind when the person was not in control of his mind. It is like a criminal act in which the criminal gets the victim drunk and get intoxicated and makes him do things that he would not have done otherwise.

The action of the victim under this “Hypnotic State” is like an “Automated inducement” for which the criminal should be considered as responsible. The victim should be considered as immune to such actions.

This is a jurisprudence of Cyber Crime we need to discuss…Open to comments

Naavi

The Government of India has announced that it would launch a Cab aggregation platform where the drivers can directly register themselves free of charge and avoid the exploitation of Uber/Ola. This is certainly a good move and needs to be encouraged.

However we need to also ensure that the system should be made to function successfully and for the benefit of the people and not only for the benefit of the drivers. The reason why Indians took to Uber and Ola is that earlier, we had to have endless arguments with the auto drivers who always asked “Give me something more than what the meter shows”. The meter itself was often manipulated and yet no auto driver ever went out without having a big argument.

Most of us feel that the reason why we chose Uber/Ola is that we donot have to argue with the price.

Even today in Chennai or Bangalore, Uber car price is often competitive with the Auto driver’s demand. This malaise is spreading even to Uber/Ola drivers who refuse to ply to specific destinations and also insist that they be paid directly.

Hence it is not necessary that Sahkar Taxi will only be a blessing. It may bring back the arguments with the drivers who may say the price has not been revised and hence extra amount has to be paid.

Further there is a doubt whether the app will function efficiently and not gobble up multiple payments or whether the cab operators will cooperate. Managing the functional efficiency and security will always be under cloud. Since there is no corporate interest in managing the app, it is doubtful if NIC will be able to manage the app efficiently.

Despite these doubts, I do think it is worth giving a try to this new project and hopefully it will succeed.

I however have one suggestion. While the Government will fix a charge based on distance, whether the cab is electric or otherwise and the price of petrol etc., they should give an option to drivers to provide discounts based on their preferences and integrate it with the app. For example, I am an auto driver in Area 1 and want to go to my house which is in Area 2, I should have an option to set discounts to Area 2 which will enable me get a priority booking. This technical facility is not available presently with Uber/Ola also and can be a separate service by itself.

If this scheme has to succeed, the State Governments also have to cooperate. They should not increase the road tax to fund their own schemes and put the burden on the drivers.

Naavi

Data protection laws such as GDPR or DPO excites professionals who are in the look out for new career opportunities. In particular, the title Data Protection Officer (DPO) is a coveted position which many IT professionals seek. The Legal professionals who normally look at a new law from the perspective of litigation opportunities are also trying to compete with the IT professionals for being a DPO.

We keep getting enquiries from corporate professionals whether they need to be a legal professionals to be a DPO or is it sufficient to acquire a “Certification”. Similarly lawyers working as litigation support executives or “Compliance officers” often question why they are ignored for the position of DPO and feel bad when a technical person who does not know what is the difference between “Consent and Legitimate use” or “Contract and MOU” or “Mediation and Adjudication” is made the DPO and is expected to represent the organization with the DPB on the one hand and the Data Principals on the other hand.

While GDPR being a more prescriptive law than DPDPA, states in greater detail the requirements of a DPO, DPDPA is a law that specifies certain principles and expects the “Data Fiduciaries” to find their own ways to navigate the law.

In GDPR, Articles 37, 38 and 39 talk about the requirements of a DPO.

While DPDPA makes the requirement of DPO mandatory for a Significant Data Fiduciary (SDF), GDPR specifies that where the scope of activities require largescale and systematic monitoring of data subjects or involves special categories of data ( otherwise recognized as sensitive data such as racial or ethnic data, political opinions, religious beliefs, genetic or biometric data, sexual information etc). In a way the requirement of DPO in DPDPA is similar to GDPR except that DPDPA classifies such organizations that require a DPO as a Significant Data Fiduciary rather than the other way round.

DPDPA does not define “Sensitive personal Data” and leaves it to the discretion of the Fiduciary to decide the risks that may be caused by their processing to the rights of a data principal etc.

GDPR prescribes that the DPO shall be designated on the basis of professional qualities and in particular, expert knowledge of data protection law and practices and the abilities to fulfil the tasks referred. DPDPA places faith on the Fiduciary to exercise “Due Diligence” to select the right person with the right knowledge for the post.

The tasks required to be fulfilled by the DPO under GDPR is indicated under Article 39 and makes the DPO the master of the situation in the Company. He is expected to monitor the compliance inform the employees and organizations about developments, provide advice and also act as the contact person for outsiders including the supervisory authority and the data subjects.

The organization is expected to provide the necessary support to the DPO to enable him discharge his responsibilities and enable him act independently. He is also protected by the provision that “he or she shall not be dismissed or penalized for performing his tasks and he shall report to the highest management level”.

GDPR also has a intriguing provision that the DPO shall be bound by “secrecy or confidentiality concerning the performance of his tasks in accordance with Union or Member State law”. What is intriguing is that the “Confidentiality” is stated as if it is in the interest of the State more than the interest of the Company itself. If it was not in the State’s interest, there was no need to add this as part of GDPR articles and could have been left to the organization to take necessary NDA. Probably this is a drafting error which often creeps in when the law tries to be more descriptive than required. India has tried to avoid this problem by not being too prescriptive.

The DPDPA makes four simple provisions that the DPO shall represent the Significant Data Fiduciary under the Act, be based in India, be responsible to the Board and be a point of contact to the data principal.

GDPR does not state locational requirement and allows one DPO for multiple units of a group and he “May be a staff member”. DPDPA specifies that the DPO should be located in India. It is silent about the possibility of one DPO for multiple group activities.

Since DPDPA specifies a “Independent” role for a Data Auditor and does not use the word “Independent” for the DPO, it is presumed that he should be an employee. It is also presumed that every legal entity which is a “Significant Data Fiduciary” will require to appoint a DPO.

Both GDPR and DPDPA recognize that the DPO needs to report to the Board. The Rules appear to suggest that the DPO is only a person who needs to be a contact person for the Data Principals but the need to “Represent” the company and “responsible to the Board” indicate that a DPO has more responsibilities than what is apparent.

While GDPR restricts the corporate freedom of the Controller to dismiss the DPO if required, considering the possibility of malicious damage that a DPO can cause to an organization, DPDPA does not provide any extra constitutional privileges to the DPO.

In the light of the many changes that a DPO is expected to take into account in India, the “Certification” requirement of an Indian DPO is not fulfilled adequately by creating expertise in GDPR. Hence international certifications are considered inadequate. At present the only certification that is structured for an Indian DPO is the C.DPO.DA. program conducted by FDPPI. GDPR does not recognize a separate role for a “Data Auditor” which is required in India.

Look for such certification if you want to be considered “Qualified” to be an Indian DPO or a Data Auditor.

Naavi