Naavi.org

Last week, CitiBank sprung a surprise on its customers by abruptly closing their accounts in preparation for the merger of its operations with Axis Bank by the end of March 2023.

In the process, many clients having their primary and business critical accounts with CitiBank  found that their business was disrupted.

In earlier mergers this kind of a situation did not arise since the accounts were automatically transferred to the new entity and it was left to the customer to decide what to continue their relationship with the new entity or not over a period of time.

In the meantime, in the earlier mergers of Corporation Bank-Union Bank, all cheques and standing instructions related to the old accounts continued to be operative and no inconvenience was caused to the customers.

It is not clear why Citi Bank adopted this move and why RBI did not prevent this inconvenience caused to the customers.

We are not aware if RBI was aware of this move and had approved  it or Citi Bank had kept RBI in the dark. Also, did Axis Bank take the trouble of informing the erstwhile customers of Citi Bank that such a move was contemplated by Citi Bank ?. The customers of Citi Bank are now the responsibility of Axis Bank and they need to preserve their own reputation for customer service and they seem to have failed in this obligation and opportunity.

It is time for some consumer oriented lawyer to file a PIL and ensure that CITI Bank pays damages to all its customers for suddenly stopping operating accounts and causing both material and reputational harm to them.

See details here

I am trying to figure out if there was any technical reasons for this fiasco. In earlier cases of mergers the merged entity continued to operate the account under the same account number for some time until it was migrated to a new account number. Even the standing instructions and cheque books continued to be operative till they were replaced and migrated.

It was surprising why this did not happen in the Citi Bank-Axis merger case.  It is not clear if this was handled like a merger under RBI  supervision or a business acquisition. In that case Axis Bank had to be pro active and provided some easy options to customers for migration.  Difficult to imagine why Axis Bank failed to use this marketing opportunity.

It should have been possible to set up an intermediary authentication system to direct the customers to the specific data base of account holders transferred to the control of Axis Bank. Probably Citi Bank did not want to help Axis Bank acquire the customers easily and Axis Bank failed to negotiate the merger/acquisition properly. Whichever consultant handled the transition has failed in his duty to guide Axis Bank properly.

We await more information to unfold in this regard from RBI.

Also see this article on which consultant handled this acquisition so inefficiently.

Naavi

The fine of Euro 800000/- imposed by CNIL on the US based Discord.com is an instance where the supervisory authority conducted its own online inspection without any complaint about data breach and arrived at the fine for a relatively low risk contravention.

Details

The fine which was imposed on 10th November 2022 was a reminder to the industry that even without any breach related complaint, CNIL could on its own try to find a non compliance and impose fines.

The breach identified was that there was lack of a written “Data Retention policy” under article 5.1.e. As a result, the investigation found that the data of 2,474,000 French users remained in the data base though they had not been used for more than 3 years and 58000 accounts which were not used for more than 5 years. (P.S: During the investigation, the company introduced the policy to delete the information after 2 years).

CNIL further identified an associated Article 13 breach (Not providing information to data subject) since there was no policy on data retention.

Yet another breach identified was that there was deficiency in the implementation of Data Protection by default (article 25.2). The observation in this regard was that when a user wanted to close the voice chat and clicked on the X mark on the window, the application was only sent to the background and not exited. (P.S: During the investigation, company introduced as a compliance measure, a  Popup to indicate that the voice chat window is still running in the background).

Another issue found by CNIL was that the Password policy allowed use of 6 letter password and did not mandate complicated password with a mix of lower case, upper case and special charecters. (P.S: During the investigation, company complied with the requirement).

Further CNIL found fault with Discord.com that it had not conducted a DPIA and given the volume of data handled, it should have conducted a DPIA. (PS: The Company conducted two DPIA and concluded that it is not likely to result in a high risk to individual’s rights and freedoms).

The incident indicates that CNIL could conduct its own online inspections and initiate action against companies and it would be wise for Foreign companies providing services in the GDPR region to set aside a suitable insurance coverage (if available) or provisions to meet such demands as if it is a GDPR tax.

Naavi

At Naavi.org, we have frequently alluded to “Theory” to explain concepts. We discussed the “Theory of Information Security Motivation” at one time and also created the “Theory of Data” to explain “Data” and its relation to “Privacy”. We did make a brief mention of “Theory of Privacy” which is still to be explored. Now is the time to open the doors for discussing the “Theory of Mind”. We are converging on this topic from the need to understand the “Neuro Rights Protection” and also to understand the “Artificial Intelligence regulation”.

I am approaching these topics as a student and trying to understand the present thinking on this topic peppered with my own views.

Our own approach to human mind earlier has been through the “Philosophy” which tries to discuss the “Mind”, “Intellect” and “Consciousness” and  their respective manifestations of the “Thought Process”, “Discretion” and “Awareness” .

Scientists of the modern era are coming towards the study from the biological concept of the Brain, the Nerve system, Neurons, the Dendrites, Electro-Chemical changes and Electro Magnetic signal processing that happens within the brain.

The Psychologists have their own approach to understand the behaviour of a person which is a manifestation of the instructions generated in the mind. They look at conscious mind, sub-conscious mind, emotions etc as different manifestation of the functioning of the brain.

When an AI programmer is trying to emulate the human brain and take it beyond the “I instruct…Remember and Execute” kind of functioning to a level where the program is instructed to “Learn while you decide and alter the behaviour to make the output more in tune with an objective” , the programmer tries to draw some understanding of the way human “Mind” functions so that he can set up a neural network close to the human intelligence.

It is in this context that the “Theory of Mind” appears the next door to open.

The Theory of Mind (TOM) is meant to understand how the brain is able to generate thoughts, emotions , feelings, beliefs etc which define the character of a person. It tries to find the reason why “Intuition” exists and an individual some times discards the earlier experience and takes decisions not backed apparently by any logic.

One plausible explanation is to consider that this is a kind of decision based on a probability estimate but whether it is as simple as a probabilistic decision making or some thing else like the “Sixth Sense” is a matter to be analyzed.

I was going through the book, “The Basic Theory of Mind” by Dr Chirapat Ukachoke to understand his perspective of the “theory of Mind”. One of the important concepts that the theory discusses is the concept  of “Qualia” which is the way a person perceives the incoming neural signals. This brings us close to the concept of “Consciousness” and the “Theory of Maya” used in the Indian philosophy.

Basically “Qualia” is the ability of the mind to “See things”. While the sensory perceptions stimulate the mind to “See things”, it is possible that a person may “See” what is different from what other person sees and herein lies the origin of “Intuitiveness”.

We should remember that “What We see may not be what it is” since the perception is dependent on several aspects of the state of mind. Ideally the state of mind should have a direct correlation to the state of a sensory stimulation. But this may not be true. When you hear the word mango, some may perceive a ripe Alphanso and another may perceive a green Totapuri. When a red object is seen one person may see the colour and another may not or may see a different colour.

Other examples of qualia include the perceived sensation of pain of a headache, the taste of wine, as well as the redness of an evening sky.

All such perceptions cannot be dismissed with the deficiency of the sensory organizations. There could be a difference in the “Vision” not related to the sensory input alone.

In AI such happenings may be considered as “Errors” or “Deficiency in Training”. But when we try to provide self learning capability to the AI, can there be a situation where the AI will imagine things on its own and act in a manner that is not intended by the developer?… is the concern we need to resolve.

We need to explore this further and see if there is any learning we can take to the AI development.

Naavi

More about Qualia

According to ChatGPT: Intuition and qualia are related in that both involve a type of direct, non-verbal understanding of the world. Intuition can be seen as a type of qualia in that it involves a direct, unconscious experience of knowledge, without the need for conscious reasoning or analysis. However, intuition can also be seen as distinct from qualia, in that it involves a more general, problem-solving type of mental processing, while qualia is more specific to individual sensory and mental experiences.

This is a continuation of our discussion on ” Towards AI Regulation in India”.

Presently, any AI algorithm is a piece of computer instruction which creates an automatic functioning of a software/hardware. The automated functioning of the AI device is governed by the provisions of Information Technology Act 2000, Section 11 read with Section 2(za) which inter-alia states as under.

Quote

“An electronic record shall be attributed to the originator if it was sent by the originator himself or by a person who had the authority to act on behalf of the originator in respect of that record or by an information system programmed by or on behalf of the originator to operate automatically”

“Originator” means a person who sends, generates, stores or transmits any   electronic message or causes any electronic message to be sent, generated,   stored or transmitted to any other person but does not include an intermediary; 

Unquote

In view of the above, at present the activity of any AI algorithm would be legally the responsibility of the owner of the algorithm. If the algorithm is embedded into a device such as an autonomous driving vehicle, automated credit rating mechanism, prosthetic device or a humanoid robot etc., the responsibility continues to who ever owns the system and markets it to the consumer. Since the functioning of a final device is a combination of multiple systems, the suppliers of sub systems become contractually related to the final claimant of the owner of the device.

It was in this context that we discussed the responsibility for illegal activities of robots like Sophia which was created by a Hongkong firm and granted citizenship by Saudi Arabia. (refer this earlier article).

However, it is considered better for implementation of law if the law has better clarity. Otherwise if a person approaches the Adjudicator under Section 46 of ITA 2000 or the Director CERT in or a Court and claims damage from the actions of ChatGPT or any other AI algorithm or robot, it is difficult to imagine how the judicial authority would respond.

We therefore need the MeitY to immediately designate a “Artificial Intelligence Authority of India” starting with designation of an official in the MeitY within the powers under ITA 2000. This would be like the “Controller for Online Games” who may be appointed under a gazette notification.

The first step that the AI regulator should initiate is a method to create a registry of AI developers and mandate registration. This means that there should be consequences of non-registration which needs to be developed in the notification.

Obviously this will be opposed and has to be followed through as the first battle for the AI regulation.

A similar development happened in the Bitcoin/Crypto regulation which finally resulted in CBDC as an officially approved Crypto Currency and de-recognition of all other  Private Cryptos.  Similarly, AI developed by registered developers will be “Officially recognized” algorithms with a “White” label and others should be considered as “Grey” or “Black” labelled depending on a criteria.

We can start with this labelling and how the society accepts it over time may be observed and further action taken as and when required.

But the “White” AI developers will be those who voluntarily submit themselves to the ethical boundaries set by the registration and the principles of ethics already being discussed worldwide can be included in the guideline one by one.

One of the requirements we have already discussed in this regard is that every AI developer shall be accorded a unique registration number by the authority which shall be embedded in the developer’s work.

Additionally a set of ethical guidelines would be applicable for the development.

The first set of such principles were proposed by Isaac Asimov in his short story “Runaround” in 1942 and consisted of the following three laws of robotics.

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey orders given to it by human beings, except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.

Once AI tarted developing, experts have been discussing the ethical principlesto be followed by AI research and development teams and several sets of principles have emerged.

One such principle was “The principles of Asilomar” developed by a group of experts in AI and ethics at the 2017 Asilomar Conference on Beneficial AI, and they provide guidance on how to ensure that AI is developed and used in a way that benefits humanity and avoids unintended harm could also be used. These principles include the following 23 principles:

1. Research Goals: The goal of AI research should be to create not only a technology but also a world in which the technology is safe and beneficial.
2. Long-Term Goals: Long-term, society-level planning is necessary, including global and national strategies, research programs, standards and regulations.
3. Importance of Value Alignment: It is crucial to align the goals and behavior of AI systems with human values throughout their operation.
4. Control: Every AI system should have accessible and understandable control mechanisms, so that humans can align the goals and behaviors of the system with human values.
5. Human Values: AI systems should be designed and operated so as to be compatible with ideals of human dignity, rights, freedoms, and cultural diversity.
6. Personal Privacy: The privacy rights of individuals must be protected.
7. Sharing: The benefits of AI should be shared widely.
8. Openness: AI research and development should be open, transparent and accessible.
9. Collaboration: Collaboration between researchers and stakeholders is necessary to ensure that AI has a positive impact.
10. Responsibility: Researchers and developers of AI systems have a responsibility to ensure that their systems are robust and verifiable and to avoid creating systems that are a threat to humanity.
11. Safety: AI systems must be safe and secure throughout their operation.
12. Failure Transparency: If an AI system causes harm, it should be possible to find out why.
13. Responsibility for AI Systems: Those designing, building, deploying, or operating AI systems are responsible for ensuring that they do what they are intended to do and do not cause harm.
14. Value Alignment: The beliefs, values and preferences of AI systems should be aligned with human values and ethical principles.
15. Human Control: There should be a way for humans to disengage or overwrite AI systems if they are causing harm.
16. Non-subversion: The power granted to AI systems should be used to preserve human values and to avoid subverting these values.
17. Long-Term Responsibility: Organizations and institutions developing or deploying AI systems have a long-term responsibility to ensure their alignment with human values.
18. Importance of Basic Research: Basic research is necessary to ensure that AI systems are transparent, controllable, and predictable.
19. Risks and Benefits: The risks and benefits of AI should be systematically studied and understood.
20. Diversity: Diverse perspectives and approaches are necessary to ensure that AI benefits humanity.
21. Human augmentation: AI has the potential to significantly enhance human capabilities, but it is important to ensure that such enhancements are safe and beneficial.
22. Ethics and Values: The ethical and moral implications of AI must be carefully studied and considered.
23. Responsibility of AI Developers and Deployers: AI developers and deployers have a responsibility to ensure that AI systems are developed and used in a way that is aligned with human values.

Another such principle is “Turin Principles” developed in 2018 by a group of experts in AI and other principles such as the  Asilomar Principles.

Turin Principles  consist of the following 10 Principles

1. Human control: AI systems should be designed and operated in a way that ensures human control over the technology and its decisions.

2. Transparency: AI systems should be transparent and explainable, so that their functioning and decision-making processes can be understood by humans.
3. Responsibility: Those who design, develop, and operate AI systems should be held accountable for their functioning and impacts.
4. Human values: AI systems should be designed and used in a way that is consistent with human values, including dignity, rights, freedoms, and cultural diversity.
5. Fairness and non-discrimination: AI systems should not discriminate against individuals or groups, and should ensure that everyone is treated fairly and without bias.
6. Privacy: AI systems should respect the privacy of individuals, and the protection of personal data.
7. Environmental and social responsibility: AI systems should be developed and used in a way that is environmentally sustainable and socially responsible.
8. Quality and safety: AI systems should be of high quality and safe, and should be designed to minimize harm and risks to individuals and society.
9. Capacity building: There should be investment in capacity building for individuals and organizations to understand, develop, and use AI in a responsible and ethical manner.

10. Cooperation: The development and use of AI should be based on international cooperation, and the sharing of knowledge, expertise, and best practices.

PS: Note that both the above principles include the “Principle of Accountability” which we have indicated as the first requirement of our set of principles.

Additionally there have been other initiatives such as the “Montreal Declaration for a Responsible Development of AI”, “Partnership on AI”, “IEEE Global Initiative for Ethical considerations in AI and Autonomous systems, “AI Now Institute’s AI Principles etc”.  We shall discuss these principles independently in other follow up articles.

The ethical guidelines suggested  includes “Protection of Privacy” which means that processing of Personal data must be done in accordance with the known principles of Privacy.  If however, processing has to be legal, then any restriction on automatic processing should be subject to the restrictions of law under GDPR/CCPA/ITA2000 or other similar laws.

One of the areas in which some disputes have arisen and settled through judicial process is the exercise of “Right to be forgotten” where search engines have been often mandated by law to specifically remove personal identity references in certain publicly available information.

This apart, there is an issue in the learning process embedded in the self learning AI algorithms which keep collecting and processing information over a time and learning with each new information input.

An ethical question arises here whether there should be some rules built into the use of learning inputs which are dated. Humans have an inbuilt mechanism to forget without which we will be burdened with all the bad memories of life. Machines donot forget and hence if the decisions of an AI is based on information which is of a past time,  the outcome may not be correct. Even humans change over a period of time and a person who was a bad person during his teens may become a good person when he is an adult and a saint when he is older. It could be the reverse also where a good person may turn bad over a time.

If AI has to maintain quality, then AI should also be trained to understand what is relevant and what is less relevant and what is not relevant, before arriving at the final decision. Hence some form of weightage based on the time of the learning event needs to be part of the  ML process.

“Ability to forget” should be a quality that a good AI should develop and hence has to be one of the ethical principles that needs to be added to the developing set of Naavi’s Ethical Principles of Artificial Intelligence” (NEPAI).

We shall continue our study of all the sets of principles presently available and arrive at our own version in due course.

I welcome contributions from others in developing this set of principles.

Naavi

OPEN FOR DISCUSSION

Naavi has been a pioneer  in conducting Cyber Law Courses online through Cyber Law College which launched its first course way back in 2000.

Now ITA 2000 has completed 20+ years and lot of experience has been built in the market in terms of Court decisions on Section 66A, Section 79, Section 65B of IEA etc. Not all of these decisions have been consistent but Judges have been exercising jurisprudential thoughts on the cases.

There  is therefore a renewed interest in students and lawyer community on Cyber Law Courses.

To ensure that the flow of knowledge in this area continues, Cyberlawcollege.in has re-launched its online course on “Certificate in Cyber Laws”.

The course is online and a set of recorded videos have been provided to cover the ITA 2000 comprehensively. New Videos covering recent developments on Intermediary guidelines and CERT In guidelines have also been added.

We shall add further videos which will cover application of ITA 2000 on Artificial Intelligence,  Meta Verse, Quantum Computing, Blockchain technology etc.

There will be periodical direct Zoom interaction with Naavi so that students can get their doubts clarified. This is therefore a “Hybrid” program with Online and Offline interaction. There will be an online examination followed by Certification.

The objective is to make this course the most comprehensive course available to a knowledge seeking professional.

The Course is presently priced at Rs 6000/- (Inclusive of GST) and could change upwards in future.

Interested persons can register for the course here.

Cyber Law College.in also offers courses on Data Protection which may also be perused on the website cyberlawcollege.in

Colleges and Law firms can contact for bulk discounts. Please spread the word to your friends

Naavi