Dear Visitors
I am trying to experiment with a Chatbot on the website of Naavi.org. This is a word press plug in.
I have found that answers provided by the Chatbot may be incorrect.
This is an experiment and Naavi shall not be responsible for any erroneous information provided by the Chatbot.
Naavi
P.S: After 24 hours of testing, I have found that the Chatbot provides consistently incorrect answers and hence I have disabled it.
Hope to see a better solution in future.
Naavi
25/2/2023
While we wait for a new law to be framed for AI regulation in India, we understand that it would take time.
However, Indian law is so designed that AI regulation can be implead through ITA 2000 through Section 11 and concept of Due Diligence along with the definition of Automated processing under DPDPB 2022.
Listen to more details here from Naavi
[PS: This post is slightly off-topic. It is posted as a reflection of a responsible citizen from Karnataka unhappy with the developments. Ignore if you donot consider it relevant for you]
In the Rohini-Roopa-Ravi discussion that is raging in Karnataka, there is an allegation by a responsible Police officer, D Roopa who is also well known as a crusader against corruption which appears to be deliberately not being attended to promptly by the Government.
The allegation is against another official namely Rohini and covers possible
a) Corruption in possessing assets beyond known sources of income
b) Sending of obscene information in electronic form to senior IAS officers
c) Enticing officials for soliciting favours for personal family benefit in real estate business
It is not clear whether these charges will stand the test of investigation. We are in no position to state except that these are the allegations to be investigated and proven.
But there is a prima facie reason based on circumstantial evidence to believe that the allegations could be true.
It is also clear that though the Government had the CBI report on D K Ravi suicide which was reasonably incriminating and also complaint from Mrs D Roopa on hand, the Government of Karnataka chose to remain silent. This indicated that it had no intention of conducting any investigation and would prefer the controversy to die down on its own.
On the other hand, the Government went on to transfer the two officials and also issue instructions to gag them not to carry on any further discussions on the issue in the social media.
It also appears that Mrs Rohini has now approached the Court to ensure that no discussions shall be published in the media.
Given the fact that there is prima facie evidence, it is not clear how the Government can suppress some body with knowledge of a cognizable offence not to push for justice and if the Government does not respond to the complaint in time, how the person can be restricted not to seek other measures to ensure that the matter is taken to investigation.
Hypothetically, if the allegation made is true, then there is a serious conspiratorial modus operandi of the accused subjecting officials into a honey trap only to derive financial benefit. This is too big an allegation to be hidden under the carpet. If the allegation is not proven, it is open to the accused to take necessary counter action.
It is immaterial that there could be service rule violations when public interest over rides the service rule restrictions.
If the allegation is to be brushed under the carpet, it would mean that there are political vested interests who want to support the accused.
We have always been suggesting that there is a duty on a citizen who observes a cognizable offence to bring it to the knowledge of the law enforcement even if the complainant/observer may not have complete evidence of the same. It is the duty of the Police to find the evidence and not that of the complainant. If the complaint is irresponsible, it is open to the accused to take counter action against defamation.
The developments so far has put the Government in a bad light showing some hidden hand that is trying to suppress further investigation for whatever reason they think fit.
I wish the Court also does not set a bad precedent by gagging the media from bringing out the truth behind the suicide of D K Ravi, the truth behind the “Deleted pictures”, the truth behind the “posh house under construction” etc.
Let us get the truth out whoever is correct. This is the spirit with which Naavi.org has been working in the Cyber Crime area and there is no reason why we should not hold our principles in the current RRR case.
Apart from the question ” Is there a duty to a citizen to report an observed cyber crime” for which an answer can come in the incident, there is also a small link to the privacy issue whether confidential information from personal messages can be used either for self defence or in public interest for producing evidence of suspected crime.
Naavi
The above article titled “New Research suggests that Privacy in the metaverse might be impossible” is an interesting information that suggests how “Motion data” can be analyzed with AI to identify the avatars on a Meta Verse site.
The study suggests that after analyzing more than 2.5 million VR data recordings from more than 50000 players of “Beat Saber app” it was found that individual users could be uniquely identified with more than 94% accuracy using only 100 seconds of motion data. Nearly 50% of the users were identified within 2 secs of motion data using innovative AI techniques using only three spatial points for each user tracked over a time.
While the findings of the study may be accepted as correct, it still requires the acquisition of motion data over a period of time which only the platform owner may be able to do or some body who is stalking the Meta Verse avatar with a sophisticated software.
However, I donot think this is some thing to be surprised about. Every pseudonymisation or Anonymisation is like encryption. It is done with some degree of efficiency which can always be beaten by use of the right kind of effort and technology.
While the study itself suggests some technology measures, perhaps some measures can be used to pseudonymize the motion data itself by introducing a modification of the real motion data.
What we can however recognize is that “attempting” identification of pseudonymization data whether successful or otherwise is an offence under ITA 2000 (Section 66) and is also a contravention of Section 43. Presently the victim can claim compensation through an adjudication system and also initiate prosecution by the Police for a 3 year imprisonment. The offence is cognizable.
Under Section 66, “Diminishing the Value of Information residing inside a computer resource” is an offence. A Pseudonymized avatar is an electronic information whose value will be diminished on identification. Hence such an activity becomes an offence under Section 66 and Section 43….Naavi
Every Metaverse platform is an “Intermediary” under ITA 200 and even if they are established outside the country, they are bound by the laws of India.
While I cannot comment on the effectiveness of any law enforcement measure to bring foreign websites under Indian law compliance other than blocking them from India, law has the necessary provision.
Hopefully Privacy Protection can only go thus far and no further. But if it is possible to use “VR pseudonymization” at the control of the user, then it is possible to provide better Privacy protection.
It may surprise many to know that Indian law in the form of ITA 2000 has a solution even for this. Under the current provisions of the law, the MeitY can notify a “Due Diligence” requirement that can force the Meta Verse platform to introduce an effective “Avatar Creation” which includes pseudonymization of the motion data.
If MeitY can recognize this, perhaps it can issue a notification similar to what has already been issued for Cyber Cafes and Matrimonial Websites.
Naavi
Information Technology Act 2000 (ITA 2000) defined Electronic Document as a “Binary Expression” and legally recognized a definition for “Document in Electronic Form”. It provided a legal recognition making such documents as equivalent to “Paper documents”. Simultaneously the “Digital Signature” and “Electronic Signature” were also defined and provided legal recognition. Even the “Computer”, “Computer Network” etc were provided legal definitions as devices that store and process binary expressions.
However, when it came to defining “Digital Contracts” though the electronic form of offer and acceptance were defined. the basic definition of “When does an agreement become a contract”, “What is the contractual capacity” etc were adopted from the Indian Contract Act.
Hence any contract entered into on the Digital space by a person with a physical age of less than 18 years( 21 years if a legal guardian has been appointed earlier) were voidable contracts. The law did not provide any thought to the impossibility of determining the age of a person in a digital communication.
Though ITA 2000 made “Digital/Electronic Signature” mandatory and therefore any person without a valid digital certificate issued by a Registered Certifying authority cannot enter into a valid digital contract equivalent to a signed contract, the possibility of “Deemed Contract” is possible and is being widely used in all online “Click-Wrap” agreements.
When the Data Protection Act was introduced, the concept of “Consent” was also based on the definition of contract under the Contract Act and hence could not escape the need for a valid signature.
When “Nomination” was suggested in PDPB 2019 and DPDPB 2022, we therefore flagged the Jurisprudential point that a “Will” not being recognized under ITA 2000 and a “Contract” getting automatically extinguished on the death of a person required a paper written will for nominating a transfer of a digital asset on the death of a person.
However the problem of switching the consent from the parent to the erstwhile minor without a discontinuity of service at the stroke of a minor attaining the age of 18 years remained a problem.
Further one could argue that if a person is born at say 09.22 hours on 20th February 2004, then he would attain majority at 09.22 hrs on 20th February 2022 and not at the stroke of the midnight on 20th February 2022.
Additionally the problem of age verification becomes a challenge to every contractual transaction on the Internet. In the early days of Internet, the industry used to ask for credit card ownership as an indicator of adult hood. But with the current risks of credit card frauds, it is not possible to ask for credit card numbers or a nominal debit of Rs 1 etc to verify the age of a person.
In 2005, I had suggested an issue of “Adult Pass” for Pornographic websites (Refer this article: What is an adult pass?) . Recently it was pointed out that France is likely to adopt this thought and issue “Pornographic Passports”. Such documents provide an assurance of age which can be used for allowing entry to adult websites .
In India we already have the system of “Aadhar” which can be also used as an authentication of age. UIDAI can issue on request an “Adult” certificate. Since “Minors” also carry Aadhaar ID along with the Parental Aadhaar ID, we have a ready infrastructure to make UIDAI confirm whether a person is a minor or a major and if he or she is a minor, who should be considered as a “Valid Parent” to provide consent. We can leave it to the UIDAI authority to sort out special cases of single parents, divorced parents, surrogate parents etc so that the digital service provider will simply accept the UIDAI certificate of “Majority” or “Minority” as a valid document for his services.
This service can be introduced by UIDAI immediately and I urge them to do so.
Personal Digital Age
This apart, I am today raising another fundamental philosophical issue of what should be considered as the right age at which a person digitally transforms from a minor to a major for his Internet/digital activities.
Today we debate if under Privacy laws we should consider recognizing “Consent giving powers” to a person of 16 years of age or 13 years of age etc., and argue that a person of that age has the necessary maturity.
But it is difficult to link any physical age to digital maturity. If we accept that today’s younger generation are more computer savvy and hence they should attain “Digital Maturity” earlier than 18 years, the same argument can make a senior citizen as a person below the “Digital Maturity Age”.
Hence determining the “Digital Maturity Age” or “Personal Digital Minority” on the basis of physical age is completely unacceptable since it would be like comparing apples to mangoes.
We need to therefore find a way for finding out the “Digital Personal Age” of a person and incorporate it into the legal definitions.
For example, I took my first birth in the Internet when I got my first E-Mail ID from vsnl.com namely naavi@vsnl.com. This happened some time in 1994-95 and I need to dig into the old records to find out the date when I registered my VSNL account. Since then, I have been using different email accounts of yahoo.com etc and now the gmail.com and other emails.
Though I might have started using computers earlier to the day of obtaining the digital email ID, I consider that I was digitally born on the Internet with a unique ID when my first e-mail account was created. Can this be considered as a basis of “Digital Age”?
This means that every person can get a certificate of first creation of an email from any service provider which can be confirmed by some authority and that can be taken as the digital birth certificate.
Once this principle is established, determining whether digital maturity should be considered after 5 years, 10 years or any other time can be easy to determine.
I am therefore placing two suggestions through this article
This system would be far better than simply using a self declaration “I am above 18 years of age” in the online contract creating documents or making special arrangement for verifying the age through supplementary enquiry etc.
I am sure that very soon we will have a reasonably acceptable AI algorithms that can assess the digital maturity and if a regulatory authority accredits different AI algorithms like they accredit the digital certificate issuing authorities, then the AI algorithm could make an assessment of “Digital Maturity Age” like we do in the case of Psychometric tests for identifying the mental age and IQ and use it for issue of “Digital Adulthood”.
I am aware that these are the first thoughts that have been floated for other professionals and regulators to consider. I hope unlike my other thoughts (eg: Adult pass) which took 15 to 20 years to get accepted by the community the above suggestions will have a mush shorter gestation period.
Your views are welcome.
Naavi
P.S: It is interesting to note that some organizations (eg: Infosys) have developed a Digital quotient through which they try to objectively represent the maturity of their employees in the employment scenario. This parameter is used to determine the “Halflife” of the employees and how quickly their knowledge becomes obsolescent. In a way this is a model of “Depreciation of the financial value of the human capital”.
The Digital maturity from the Internet contracting perspective can use some of the parameters that have been identified for determining the Digital Quotient of employees.
There is also the “Digital Maturity of an organization” which is built into the Quality systems which is different.
What we are now discussing is the “Personal Internet maturity for the purpose of determining the right digital cut off for identifying digital minors from digital majors”
Our concept is simply based on the efflux of time after a person was digitally born and is not linked to an evaluation of his skill sets as is used in the Digital Quotient of employees or the Digital Maturity of an organization. Just as every adult above 18 years is not equally intelligent even under our concept of a “Personal Digital Adult”, there may be difference in the intelligence levels of different persons. But if our physical society including adult franchise is based simply on efflux of time, perhaps it becomes relevant even in the digital society. If we were prepared to model our adult franchise on the basis of qualifications, then there would be an argument for determining the digital adulthood also on the basis of the skills of a Netizen. Skills are relevant for employment but may not be for online contracts for e-commerce or privacy permissions.
Probably we need to discuss this more in the coming days.
Naavi
[COMMENTS ARE WELCOME]
Jurisprudence is an interpretation of law by experts. One narrow view of “Jurisprudence” is that it is restricted to the views of a Court like the Supreme Court which is considered binding for the lower Courts. But this is a narrow view and needs to be modified.
A larger view of Jurisprudence is that is a scientific study of law and involves not only the history and philosophy of law but also the views and opinions of the Judiciary as well as the subject matter experts.
Interpretation of statutory texts is also “Jurisprudence”.
It may take time for the Indian legal community to come out of its shell and adopt this open view that Jurisprudence can originate from outside the Courts.
The last 22 years of Naavi.org indicates that a large part of Cyber Jurisprudential principles in India originated here and Courts took their own time in accepting these views.
One classic example which should go into the study of Law in India is that the interpretation of Section 65B of Indian Evidence Act was first made from the school of Naavi and also used and adopted in the Suhas Katti case in 2004. In 2005 Supreme Court had a differential view and only in 2012, Supreme Court adopted the Naavi’s thought process on the mandatory nature of Section 65B. The logic for the intervention of a human witness to convert the digital evidence into an admissible evidence in a Court has been explained by Naavi in many professional circles and despite some disagreements here and there arising out of the difficulty for unlearning the age old concepts of “Primary” and “Secondary Evidence” and inability to switch to interpretations based on “Digital Documents” are gradually adopting the views of Naavi. This is an example of how “Jurisprudence” can develop outside the Judiciary and may get assimilated in the system.
Naavi.org and Naavi has been propounding several new thoughts such as the Theory of Data , The ” Privacy Protection Law” as an extension of ITA 2000 etc and in due course they are likely to be tested in a Court of Law and hopefully adopted by the Judiciary.
One such Jurisprudential thought that arises out of the Digital Personal Data Protection Bill 2022 (DPDPB 2022) which is in the form of a draft before the Parliament is link between this draft and the discussion on Artificial Intelligence and Neuro Rights regulation.
In our earlier article we had discussed how ITA 2000 can be extended for AI regulation through a proper interpretation of Section 11 of ITA 2000.
Now let us see how we can consider DPDPB 2022 as extending to AI regulation.
The definition of Automated Processing under DPDPB 2022 states
(1) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
This definition can be extended to all forms of AI including ANI, AGI. Coupled with Section 11 of ITA 2000, accountability of AI will rest with the “Person who caused the automated system to behave in a given manner either with specific instructions or otherwise through a self learning machine learning process”.
What can now be added to the body of law is the “Ethics” in the form of rules and notifications. The notification under DPDPB 2022 can include the Code of Ethics that are required by AI industry to follow and make it part of the current regulation under ITA 2000 and DPDPB 2022 (which could become DPDPA2023 when passed)
With this interpretation, AI will be subject to all the regulations that include
a) Informed Consent
b) Purpose oriented consent
c) Minimal collection and retention
d)Rights of information, accuracy, withdrawal and grievance redressal etc
Further, the regulator of DPDPB 2022 namely the Data Protection Board becomes the regulator for AI related ethical violations. Penalties under DPDPB 2022 will also apply for AI related violations. The exemptions and deemed consent provisions will apply as stated in the DPDPB 2022.
Further, the provisions of “Significant Data Fiduciaries”, DPIA, DPO appointment, Data Auditor appointment etc will also apply to AI companies.
It is time for us to also look at PDPSI once again and see if any minor modifications are required to be indicated in the DTS calculation.
Overall we are ready to get into the AI regulatory world with DPDPB 2022.
