Naavi.org

In introducing the need for a new Act namely Digital India Act to replace the existing ITA 2000, the Government has identified 5 distinct changes in the environment since 2000 as follows.

Out of the five identified developments, it is easy to understand the numeric growth of Internet users from 5.5 million to 850 million. This is because the cost of Internet access has become very low and also the web content has become more useful. But some of the other reasons stated is not correct.

For example, ITA 2000 never stated that there is only one kind of intermediary, namely the Internet Service Provider.

In ITA 2000, the definition of Intermediary was :

“Intermediary” with respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;

In the 2008 version, the definition was changed to the following:

“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search enginers, online payment sites, online-auction sites, online market places and cyber cafes.

Along with this definition, Section 79 spoke of the safe harbour provision, and it introduced a condition (in 2008 version) that the protection under Section 79 was available only if the intermediary does not initiate a transaction or select the receiver of the transmission and select or modify the information contained in the transmission. As a result the definition of the intermediary got altered. But since most intermediaries could not satisfy these conditions, they were practically not intermediaries.

While the definition of the Intermediary was linked to a transmission of a message and could be expanded to any service which was passive, it could not be applied for Section 79 purpose to services where there was an element of monetization which required management of the service in such a manner that the intermediary chose the receiver, the supplier and also what modifications were to be made to the message.

If therefore only the ISPs and MSPs had the pure characteristics of an Intermediary eligible for Section 79, there were many other types of intermediaries who did not come under section 79 protection because of their business model. The definition could be interpreted in such a manner that a Fintech platform could be an intermediary while the Banks/Fintech companies riding on the platform were not. A Bank could not be a beneficiary in respect of customer information since it was using customer information for its business but could be an intermediary in respect of the insurance marketing service it might have been rendering to their insurance subsidiary.

The different types of intermediaries now being identified as OTT, Gaming etc were all “Intermediaries” under the ITA 2000 and MeitY had the power to introduce due diligence obligations on them. Even services such as Domain Name Registrars, hosting companies, Cloud service providers were all “Intermediaries” under the current law and hence it is incorrect to say that there is a need to change the law because of this reason. The Government has in the past failed to assert its right to regulate the intermediaries and often catapulted under a legal challenge. It was the fear of bad media that kept the Government from introducing the required changes. Even now the Gaming Regulations are only issued for public comments and not issued as an operative direction.

As long as the Government is hesitant to make proper interpretation of the law, even if new definition of intermediaries are introduced in DIA, the law will remain unimplemented.

Discussion continues…

Naavi

(This is a continuation of the previous article on this subject in the series)

The DIA as proposed by the MeitY is proposed to replace the current ITA 2000. The structure of the new Act may see deletion of Chapter XII on Cyber Crimes, (moving it to IPC), strengthening of Chapter IX (with changes in the grievance redressal mechanism), introduction of a new chapter on monetization and also an elaborate chapter on Intermediaries and New Technology regulation.

Presently the indication is also available that Schedule I which provides that certain types of documents are exempted from the provisions of the Act may be completely discarded. Recently in one of the amendments on October 4th, 2022, the immovable property related documents such as sale deeds, partition deeds, lease agreements etc which in electronic form were hitherto not recognized, have now been removed from the negative list. As a result, there can be an electronic sale deed of an immovable properties. We have already highlighted that this would increase the Cyber Crimes in India substantially and open up the real estate sector for more frauds and litigation.

At present “Will” is still in the negative list and perhaps will be the next casualty even before the DIA is introduced since DPDPB 2022 has introduced a “Nomination” facility for personal data. While we have advocated that “Nomination” of personal data may be effected using a written instrument without violating ITA 2000, it is likely that industry may force the Government to bring an amendment to the Schedule 1 of ITA 2000 and removal of item 4. This will also open up new Cyber Crimes involving deceased persons and their assets by creating fake electronic Wills.

Though the control for Fake real estate transfer documents as well as Fake Wills lies in the mandatory registration of documents, increased corruption in the state registration departments will corrupt the entire system of immovable property registrations and inheritance of properties.

We had in the distant past argued that Cyber matrimony comes with its own risks. (Refer this article Should Cyber Marriages be Banned-May 1 2005). We can add the risks of false divorce petitions springing up and very soon we will see new cyber crimes where people may allege that they are married with a subject victim, sue for divorce and extort money. If the Supreme Court goes ahead and approves same sex marriage, then such fraudsters need not always be of the opposite sex and the scope for such “Fake Marriage and Divorce” petitions would also increase.

The October 4, 2022 amendment of Schedule 1 has also made changes to Items 1 and 2 of the Schedule related to Negotiable Instruments (Other than cheque) and Power of Attorney and introduced a strange exception to the exception stating that when a Bill of Exchange or Promissory Note or a Power of Attorney document is executed or by certain designated institutions (RBI, NHB,SEBI, IRDAI, PRF) they become valid as electronic documents. These institutions will have a magic wand to even bring otherwise non recognized electronic documents of such nature by adding their endorsement or by being a beneficiary.

What has been left untouched in this negative list is only the Trust deed and it will not be long before this also is removed.

Thus in the coming days we can expect that the entire Schedule 1 associated with Section 1(4) of ITA 2000 may be deleted from ITA 2000.

These changes will make it easy for Cyber Criminals to design new Cyber Crimes and challenge the law enforcement agencies.

As the responsibility for interpreting an incident as a Cyber Crime and preventing or prosecuting such crimes may get transferred to the Ministry of Home Affairs, the MeitY would be happy to get rid of the complaints that may arise out of such increased Cyber Crime occurences.

With the additional protection that the Cyber Criminals will get through the DPDPB 2022 and perhaps the re-introduction of the “Right to Forget”, Convicted Criminals, Accused as well as Hackers can demand that law shall protect their personal data and cover their criminal tracks. This will be like the Kashmiri Terrorists seeking protection of the Supreme Court under Indian Constitution though they have no respect for the Indian Constitution.

The move of removing the negative list therefore comes with increased Cyber Crime risks for the society. It is unlikely that this increased risk will be countered with the increased safety and security within DIA or the amendments to IPC since the objective of DIA would be promoting the new technology innovations and not creating a safe Cyber Society.

With increased demand for “De-Criminalization” of most crimes and the Supreme Court becoming more criminal and terrorist friendly than every before holding the human rights of criminals ahead of the security rights of honest citizens, the future could be a bed of thorns for the “Digital Nagariks”. (I called them Netizens in the year 2000 and now they have got a new name).

The law makers and the Supreme Court only recognize the Right to life with liberty in the form of Privacy. But neither of them have recognized the “Right to life” as a “Right to live peacefully” without terrorism and crimes jeopardizing the freedom of life.

The DIA as proposed focusses more on the “Adjudication” and imposing financial penalties and is unlikely to even include the offences as part of the Act as indicated by the following propositions.

People like Naavi are well aware of how the Adjudication System under ITA 2000 which was run by the IT Secretaries who were part of the larger community of MeitY was completely ineffective. Now more reliance is being placed on the same ineffective system. We shall separately discuss the improvements that can be made in the Adjudication system in a subsequent article.

But we can flag the risk that by removing the negative list, by decriminalizing ITA 2000, the DIA will make the life of Digital Nagariks more risky than what it is now .

Naavi

In a continuation of the impact of deliberate mis information spread on the web and poisoning of the AI models, I would like to reproduce here an article which I had written some time back.

This article also refers to another article of 2000 where I had discussed the Dalistan.org issue.

The thoughts represented in these articles become more relevant today since AI can itself be used to generate blog posts and flood the web with articles with a bias which will further be accentuated by the search engines picking up the blog posts. The posts can be created in such a manner with SEO optimization that the search engine pick up is better than sites like naavi.org and hence the fake narrative will proliferate.

This will be like the Time Capsule that Mrs Indira Gandhi wanted to bury to influence the future civilization. What is being created on the web is like a “Time Capsule” and in due course the Indian history will be re-told by this time capsule.

The problem of Fake news which we encountered in Twitter and tried to mitigate through the Digital Media Ethics code will be nothing to the future where AI algorithm based search engines will be poisoned.

We need to think of a way to resolve this issue.

Naavi

On May 26th, 2022, the MeitY had released the “National Data Governance Framework Policy” for public consultation. Mr Rajeev Chandrashekar has made a reference to this policy while introducing the proposed Digital India Act and stated that this policy would be part of the ensuing Cyber Law eco system of India.

The objective of this policy was to ensure that non-personal data and anonymised data from Government and Private entities are safely accessible by research and innovation eco-system. According to the press release of the Government issued on 27th July 2022 in this regard, the policy was meant to provide an institutional framework for data/datasets/metadata rules, standards, guidelines and protocols for sharing of non personal data sets while ensuring privacy, security and trust.

Now this policy, a draft of which was made public in 2022 (Refer here) becomes integral to the Cyber Law eco system in the country and will have an impact even on DPDPB2022. The objectives of this policy included building a platform where “Data” can be made available for processing by the Big Data industry. It would also impact the AI development systems by contributing data for Machine Learning modelling. (Also refer here for more on the policy)

In the context of the penetration of Large Language Models such as the ChatGPT in the ecosystem, the need for unbiased data set for Machine Learning is critical. The public opinion in future would be automatically framed by the large language models which have the capability of making people believe untruth as truth. The models like the new Bing Search Engines built on this “Idiotic but pretending to be Intelligent” language models may rationalize fake narratives on the web if web information becomes the predominant training data set. These models are amenable to “AI Training Data Poisoning” threat which needs to be prevented if we want the integrity of the ChatGPT like models to be preserved.

As an example arising out of the current narratives floating in the internet, it would not be surprising if the language model confidently says that “Indian Democracy is under threat because of Mr Modi while the truth could be that it is under threat because of Rahul Gandhi”. The “Garbage In, Garbage Out model” of training of AI models would come to this conclusion because the fake narrative may be more prolific than the true narrative. This would be true of all social issues since people spread negative information faster than true information and the media looks at this as an opportunity to increase their TRP. This would lead to the development of a distorted view of the society.

At any point of time web will contain more negative and false information than truthful and positive information. This will creep into the language model dependent search engines and corrupt the society irretrievably over a period.

I reproduce here the first paragraph of an article (Is it a George Soros sponsored article?) “intelligencesquared.com” . The article is reported as an introduction to a debate with Siddarth Varadarajan , Founding editor of The Wire and Bobby Ghosh, a member of the Bloomberg’s editorial board participating.

Quote

India may be the world’s largest democracy, but under Prime Minister Narendra Modi the country is sliding inexorably towards autocracy. In his six years in office, Modi has presided over an increase in arrests, intimidation and the alleged torture of lawyers, journalists and activists who speak out against him. His Hindu nationalist government has amended its citizenship laws to favour Hindus over Muslims and has pledged to create a national register of citizens, prompting concern that millions of Muslims with inadequate paperwork will be unable to qualify for citizenship. Modi doesn’t like to hear dissent: while in power he has not held a single press conference or given any unscripted interviews. Several international organisations have now marked India as only ‘partly free’ or as a ‘flawed democracy’. This great, vibrant, argumentative country with a proud history of debate has never seen anything like this prime minister: Narendra Modi is the most serious threat Indian democracy has ever faced.

Unquote

The second paragraph provides a brief mention of the opposing view and then goes onto introduce an even in which two speakers will speak. This is a clever presentation of data which the search engines and AI algorithms will pick as the narrative represented by the heading and the first paragraph.

Any AI model to which this paragraph goes as an input would definitely create a biased output. As the biased output percolates into the public mind through search engines such as the Bing search, the public will slowly start believing the fake narrative.

The new DIA flags the need for preventing fake social media narrative as one of its objectives in creating an “Open but Safe” Internet. At the same time the tendency of the law makers is to exempt “Online Search Engines” from most of the regulatory controls in the belief that the search engine output is unbiased. This presumption is however incorrect in the era of ChatGPT since “Fake planted articles on the web” will reinforce the learning of the Chat GPT like platforms and increase the Bias in each cycle of learning.

Hence filtering the data set used for machine learning is necessary to avoid bias creeping in to the AI model in its decision making.

Regulation of AI is also part of the DIA objective and “Prevention of Bias” is declared as one of the most important ethical challenges.

The DIA therefore needs to ensure that a reliable data set needs to be created out of unbiased basic data. This is an important regulatory aspect required to maintain the integrity of the search engines and large language models.

We have already suggested that AI algorithms need to be held accountable to the creators through a system of labelling, licensing and registration. The use of reliable data set for the training process is one of the parameters for accreditation of AI algorithms to be registered by the AI regulatory authority.

Meity had released certain reports on AI (Refer here). Out of the four reports published, Report of Committee D which has addressed the ethical issues of AI has suggested the need for measures to avoid bias in AI. Now some of these suggestions have to be part of the DIA.

We draw the attention of the Meity and request for considering measures to prevent “Poisoning of AI Training.”.

Naavi

The audit community (eg ISO 27001 audit) generally conducts an audit as a snapshot at a point of time and issue a certificate that the subject entity is compliant. The the certificate would be normally valid for a 3 year period with a clause that the entity should maintain the compliance check through internal audits at periodical intervals. Most auditors also add that in case of any significant change in the operations, the audit should be repeated. As a result, the responsibility for the maintenance of controls after the audit vests with the organization.

The internal audit team of an organization normally maintains a schedule of audit such as quarterly audit or half yearly audit depending on its own risk perceptions. This “Intermittent Audit” is like the Financial Reporting on quarterly basis through Balance Sheets drawn once in a quarter.

In some industries the system of “Continuous Audit” is in vogue where the maintenance checks are conducted at more frequent intervals and observations are made on critical parameters on transaction to transaction basis. In such a system each transaction is filtered through an audit check before being recorded. For example in the case of a Financial Audit, each voucher may be checked for appropriate permissions and authority and on clearance taken on record. In simple decision making environment this can be automated to the extent the audit becomes almost a “Continuous Audit”.

However in the Techno Legal Audits such as GDPR or ITA 2000 or DPDPB audits, the filters involve some legal interpretations which need human intervention more often than in the case of simple financial decisions. In the case of Personal data protection, a “Transaction” may mean collection of a personal data set, or accumulation of identifiers. Some times new processes and disclosure also may be transactions where personal data is processed as a transaction.

Despite the emergence of AI tools, it is difficult to fully automate the Personal Data related transaction verification on a continuous transaction by transaction basis. The effort would therefore be to reduce the intermittent audit period from around 3 months to a lesser duration of say one month or more ideally one day. Such auditing may require some affirmative action by a human and cannot be entirely relied upon on an automated system.

How this “compression” of audit period can be achieved is a complex decision and may also depend on the risk perceptions in the entity. Further in the enterprise level legal compliance, compliance can be measured only in totality of the operations and not on individual transactions. Hence it would be necessary to have an index of compliance as a barometer to be watched. Hence Concurrent Audit in the Techno Legal scenario cannot be done without first developing the measurement index of compliance and tracking its changes.

The DTS system developed by Ujvala Consultants is used by the Ujvala Concurrent Audit system with the use of an online mechanism already developed. Some finer details of how to tag the monitoring of changes to certain parameters of change is being finalized and will shortly be announced as an automated online system for Certification.

The Concurrent DTS evaluation of Ujvala will follow the steps of “Self Assessment”, “Mentor Assisted Self Assessment”, “Summary Assessment based on documentary evidence” . Subsequently the Certification can be passed onto a qualified auditor who is accredited by a suitable organization such as FDPPI.

Watch out for the launching of the “Personal Data Certification” system based on Concurrent audit shortly.

Naavi

In our earlier article we had raised a term “Concurrent Compliance” as one of the goals of PDPSI. This was a new term coined after the more often used term namely “Concurrent Auditing”. In PDPB 2019, apart from the mandatory annual data audit by an external data auditor, Significant Data Fiduciaries were required to conduct “Concurrent Audits”.

Essentially, “Concurrent Audit” means that the organization maintains an ongoing supervision on its activities (in this instance compliance to data protection law) and not an intermittent audit conducted from time to time.

This means that if there are 50 principles of Digital Personal Data Protection Audit, which an external auditor would check once a year, the management has to keep checking these 50 parameters every day and every moment.

If DPIA is conducted as and when a new process is being contemplated, Concurrent audit should monitor DPIA on a daily basis identifying the changes that might occur in its data processing such as a new employee coming in, an existing employee exiting. or when new technology devices are purchased or sold.

Hence Concurrent Audit envisages an integrated system where relevant parameters are monitored on an ongoing basis and a dashboard is available for the management to follow. It is accepted that this is a complex challenge when the business parameters are continuously change. But organizations can work on setting up such systems initially at a higher level and later fine tune it as needed.

Under PDPSI, we are trying to use the online DTS system which we developed some time back as a tool for this Concurrent Auditing. The DTS system is a system which tries to assess the compliance of an organization to a given data protection law over 50 different Model Implementation Specifications (MIS). This was developed to assist the Data Auditor who makes an annual assessment. The same system can be also used by the management by creating a dashboard where DTS is being continuously monitored and fine-tuned.

Presently, we had introduced the online DTS system for PDPB 2019/DPA 2021 and GDPR and presented it on Ujvala.com website. This will now be suitably automated to generate the DTS on a continuing basis. As and when an external auditor makes an assessment, the self-assessed DTS would be modified to reflect the audited DTS. This will enable the synchronization of the internal approach managed by the DPO with the external auditor’s approach and both would learn by mutual exchange of views during the audit.

Await more information to be released on this service….