Naavi.org

The fine of Euro 800000/- imposed by CNIL on the US based Discord.com is an instance where the supervisory authority conducted its own online inspection without any complaint about data breach and arrived at the fine for a relatively low risk contravention.

Details

The fine which was imposed on 10th November 2022 was a reminder to the industry that even without any breach related complaint, CNIL could on its own try to find a non compliance and impose fines.

The breach identified was that there was lack of a written “Data Retention policy” under article 5.1.e. As a result, the investigation found that the data of 2,474,000 French users remained in the data base though they had not been used for more than 3 years and 58000 accounts which were not used for more than 5 years. (P.S: During the investigation, the company introduced the policy to delete the information after 2 years).

CNIL further identified an associated Article 13 breach (Not providing information to data subject) since there was no policy on data retention.

Yet another breach identified was that there was deficiency in the implementation of Data Protection by default (article 25.2). The observation in this regard was that when a user wanted to close the voice chat and clicked on the X mark on the window, the application was only sent to the background and not exited. (P.S: During the investigation, company introduced as a compliance measure, a  Popup to indicate that the voice chat window is still running in the background).

Another issue found by CNIL was that the Password policy allowed use of 6 letter password and did not mandate complicated password with a mix of lower case, upper case and special charecters. (P.S: During the investigation, company complied with the requirement).

Further CNIL found fault with Discord.com that it had not conducted a DPIA and given the volume of data handled, it should have conducted a DPIA. (PS: The Company conducted two DPIA and concluded that it is not likely to result in a high risk to individual’s rights and freedoms).

The incident indicates that CNIL could conduct its own online inspections and initiate action against companies and it would be wise for Foreign companies providing services in the GDPR region to set aside a suitable insurance coverage (if available) or provisions to meet such demands as if it is a GDPR tax.

Naavi

At Naavi.org, we have frequently alluded to “Theory” to explain concepts. We discussed the “Theory of Information Security Motivation” at one time and also created the “Theory of Data” to explain “Data” and its relation to “Privacy”. We did make a brief mention of “Theory of Privacy” which is still to be explored. Now is the time to open the doors for discussing the “Theory of Mind”. We are converging on this topic from the need to understand the “Neuro Rights Protection” and also to understand the “Artificial Intelligence regulation”.

I am approaching these topics as a student and trying to understand the present thinking on this topic peppered with my own views.

Our own approach to human mind earlier has been through the “Philosophy” which tries to discuss the “Mind”, “Intellect” and “Consciousness” and  their respective manifestations of the “Thought Process”, “Discretion” and “Awareness” .

Scientists of the modern era are coming towards the study from the biological concept of the Brain, the Nerve system, Neurons, the Dendrites, Electro-Chemical changes and Electro Magnetic signal processing that happens within the brain.

The Psychologists have their own approach to understand the behaviour of a person which is a manifestation of the instructions generated in the mind. They look at conscious mind, sub-conscious mind, emotions etc as different manifestation of the functioning of the brain.

When an AI programmer is trying to emulate the human brain and take it beyond the “I instruct…Remember and Execute” kind of functioning to a level where the program is instructed to “Learn while you decide and alter the behaviour to make the output more in tune with an objective” , the programmer tries to draw some understanding of the way human “Mind” functions so that he can set up a neural network close to the human intelligence.

It is in this context that the “Theory of Mind” appears the next door to open.

The Theory of Mind (TOM) is meant to understand how the brain is able to generate thoughts, emotions , feelings, beliefs etc which define the character of a person. It tries to find the reason why “Intuition” exists and an individual some times discards the earlier experience and takes decisions not backed apparently by any logic.

One plausible explanation is to consider that this is a kind of decision based on a probability estimate but whether it is as simple as a probabilistic decision making or some thing else like the “Sixth Sense” is a matter to be analyzed.

I was going through the book, “The Basic Theory of Mind” by Dr Chirapat Ukachoke to understand his perspective of the “theory of Mind”. One of the important concepts that the theory discusses is the concept  of “Qualia” which is the way a person perceives the incoming neural signals. This brings us close to the concept of “Consciousness” and the “Theory of Maya” used in the Indian philosophy.

Basically “Qualia” is the ability of the mind to “See things”. While the sensory perceptions stimulate the mind to “See things”, it is possible that a person may “See” what is different from what other person sees and herein lies the origin of “Intuitiveness”.

We should remember that “What We see may not be what it is” since the perception is dependent on several aspects of the state of mind. Ideally the state of mind should have a direct correlation to the state of a sensory stimulation. But this may not be true. When you hear the word mango, some may perceive a ripe Alphanso and another may perceive a green Totapuri. When a red object is seen one person may see the colour and another may not or may see a different colour.

Other examples of qualia include the perceived sensation of pain of a headache, the taste of wine, as well as the redness of an evening sky.

All such perceptions cannot be dismissed with the deficiency of the sensory organizations. There could be a difference in the “Vision” not related to the sensory input alone.

In AI such happenings may be considered as “Errors” or “Deficiency in Training”. But when we try to provide self learning capability to the AI, can there be a situation where the AI will imagine things on its own and act in a manner that is not intended by the developer?… is the concern we need to resolve.

We need to explore this further and see if there is any learning we can take to the AI development.

Naavi

More about Qualia

According to ChatGPT: Intuition and qualia are related in that both involve a type of direct, non-verbal understanding of the world. Intuition can be seen as a type of qualia in that it involves a direct, unconscious experience of knowledge, without the need for conscious reasoning or analysis. However, intuition can also be seen as distinct from qualia, in that it involves a more general, problem-solving type of mental processing, while qualia is more specific to individual sensory and mental experiences.

This is a continuation of our discussion on ” Towards AI Regulation in India”.

Presently, any AI algorithm is a piece of computer instruction which creates an automatic functioning of a software/hardware. The automated functioning of the AI device is governed by the provisions of Information Technology Act 2000, Section 11 read with Section 2(za) which inter-alia states as under.

Quote

“An electronic record shall be attributed to the originator if it was sent by the originator himself or by a person who had the authority to act on behalf of the originator in respect of that record or by an information system programmed by or on behalf of the originator to operate automatically”

“Originator” means a person who sends, generates, stores or transmits any   electronic message or causes any electronic message to be sent, generated,   stored or transmitted to any other person but does not include an intermediary; 

Unquote

In view of the above, at present the activity of any AI algorithm would be legally the responsibility of the owner of the algorithm. If the algorithm is embedded into a device such as an autonomous driving vehicle, automated credit rating mechanism, prosthetic device or a humanoid robot etc., the responsibility continues to who ever owns the system and markets it to the consumer. Since the functioning of a final device is a combination of multiple systems, the suppliers of sub systems become contractually related to the final claimant of the owner of the device.

It was in this context that we discussed the responsibility for illegal activities of robots like Sophia which was created by a Hongkong firm and granted citizenship by Saudi Arabia. (refer this earlier article).

However, it is considered better for implementation of law if the law has better clarity. Otherwise if a person approaches the Adjudicator under Section 46 of ITA 2000 or the Director CERT in or a Court and claims damage from the actions of ChatGPT or any other AI algorithm or robot, it is difficult to imagine how the judicial authority would respond.

We therefore need the MeitY to immediately designate a “Artificial Intelligence Authority of India” starting with designation of an official in the MeitY within the powers under ITA 2000. This would be like the “Controller for Online Games” who may be appointed under a gazette notification.

The first step that the AI regulator should initiate is a method to create a registry of AI developers and mandate registration. This means that there should be consequences of non-registration which needs to be developed in the notification.

Obviously this will be opposed and has to be followed through as the first battle for the AI regulation.

A similar development happened in the Bitcoin/Crypto regulation which finally resulted in CBDC as an officially approved Crypto Currency and de-recognition of all other  Private Cryptos.  Similarly, AI developed by registered developers will be “Officially recognized” algorithms with a “White” label and others should be considered as “Grey” or “Black” labelled depending on a criteria.

We can start with this labelling and how the society accepts it over time may be observed and further action taken as and when required.

But the “White” AI developers will be those who voluntarily submit themselves to the ethical boundaries set by the registration and the principles of ethics already being discussed worldwide can be included in the guideline one by one.

One of the requirements we have already discussed in this regard is that every AI developer shall be accorded a unique registration number by the authority which shall be embedded in the developer’s work.

Additionally a set of ethical guidelines would be applicable for the development.

The first set of such principles were proposed by Isaac Asimov in his short story “Runaround” in 1942 and consisted of the following three laws of robotics.

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey orders given to it by human beings, except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.

Once AI tarted developing, experts have been discussing the ethical principlesto be followed by AI research and development teams and several sets of principles have emerged.

One such principle was “The principles of Asilomar” developed by a group of experts in AI and ethics at the 2017 Asilomar Conference on Beneficial AI, and they provide guidance on how to ensure that AI is developed and used in a way that benefits humanity and avoids unintended harm could also be used. These principles include the following 23 principles:

1. Research Goals: The goal of AI research should be to create not only a technology but also a world in which the technology is safe and beneficial.
2. Long-Term Goals: Long-term, society-level planning is necessary, including global and national strategies, research programs, standards and regulations.
3. Importance of Value Alignment: It is crucial to align the goals and behavior of AI systems with human values throughout their operation.
4. Control: Every AI system should have accessible and understandable control mechanisms, so that humans can align the goals and behaviors of the system with human values.
5. Human Values: AI systems should be designed and operated so as to be compatible with ideals of human dignity, rights, freedoms, and cultural diversity.
6. Personal Privacy: The privacy rights of individuals must be protected.
7. Sharing: The benefits of AI should be shared widely.
8. Openness: AI research and development should be open, transparent and accessible.
9. Collaboration: Collaboration between researchers and stakeholders is necessary to ensure that AI has a positive impact.
10. Responsibility: Researchers and developers of AI systems have a responsibility to ensure that their systems are robust and verifiable and to avoid creating systems that are a threat to humanity.
11. Safety: AI systems must be safe and secure throughout their operation.
12. Failure Transparency: If an AI system causes harm, it should be possible to find out why.
13. Responsibility for AI Systems: Those designing, building, deploying, or operating AI systems are responsible for ensuring that they do what they are intended to do and do not cause harm.
14. Value Alignment: The beliefs, values and preferences of AI systems should be aligned with human values and ethical principles.
15. Human Control: There should be a way for humans to disengage or overwrite AI systems if they are causing harm.
16. Non-subversion: The power granted to AI systems should be used to preserve human values and to avoid subverting these values.
17. Long-Term Responsibility: Organizations and institutions developing or deploying AI systems have a long-term responsibility to ensure their alignment with human values.
18. Importance of Basic Research: Basic research is necessary to ensure that AI systems are transparent, controllable, and predictable.
19. Risks and Benefits: The risks and benefits of AI should be systematically studied and understood.
20. Diversity: Diverse perspectives and approaches are necessary to ensure that AI benefits humanity.
21. Human augmentation: AI has the potential to significantly enhance human capabilities, but it is important to ensure that such enhancements are safe and beneficial.
22. Ethics and Values: The ethical and moral implications of AI must be carefully studied and considered.
23. Responsibility of AI Developers and Deployers: AI developers and deployers have a responsibility to ensure that AI systems are developed and used in a way that is aligned with human values.

Another such principle is “Turin Principles” developed in 2018 by a group of experts in AI and other principles such as the  Asilomar Principles.

Turin Principles  consist of the following 10 Principles

1. Human control: AI systems should be designed and operated in a way that ensures human control over the technology and its decisions.

2. Transparency: AI systems should be transparent and explainable, so that their functioning and decision-making processes can be understood by humans.
3. Responsibility: Those who design, develop, and operate AI systems should be held accountable for their functioning and impacts.
4. Human values: AI systems should be designed and used in a way that is consistent with human values, including dignity, rights, freedoms, and cultural diversity.
5. Fairness and non-discrimination: AI systems should not discriminate against individuals or groups, and should ensure that everyone is treated fairly and without bias.
6. Privacy: AI systems should respect the privacy of individuals, and the protection of personal data.
7. Environmental and social responsibility: AI systems should be developed and used in a way that is environmentally sustainable and socially responsible.
8. Quality and safety: AI systems should be of high quality and safe, and should be designed to minimize harm and risks to individuals and society.
9. Capacity building: There should be investment in capacity building for individuals and organizations to understand, develop, and use AI in a responsible and ethical manner.

10. Cooperation: The development and use of AI should be based on international cooperation, and the sharing of knowledge, expertise, and best practices.

PS: Note that both the above principles include the “Principle of Accountability” which we have indicated as the first requirement of our set of principles.

Additionally there have been other initiatives such as the “Montreal Declaration for a Responsible Development of AI”, “Partnership on AI”, “IEEE Global Initiative for Ethical considerations in AI and Autonomous systems, “AI Now Institute’s AI Principles etc”.  We shall discuss these principles independently in other follow up articles.

The ethical guidelines suggested  includes “Protection of Privacy” which means that processing of Personal data must be done in accordance with the known principles of Privacy.  If however, processing has to be legal, then any restriction on automatic processing should be subject to the restrictions of law under GDPR/CCPA/ITA2000 or other similar laws.

One of the areas in which some disputes have arisen and settled through judicial process is the exercise of “Right to be forgotten” where search engines have been often mandated by law to specifically remove personal identity references in certain publicly available information.

This apart, there is an issue in the learning process embedded in the self learning AI algorithms which keep collecting and processing information over a time and learning with each new information input.

An ethical question arises here whether there should be some rules built into the use of learning inputs which are dated. Humans have an inbuilt mechanism to forget without which we will be burdened with all the bad memories of life. Machines donot forget and hence if the decisions of an AI is based on information which is of a past time,  the outcome may not be correct. Even humans change over a period of time and a person who was a bad person during his teens may become a good person when he is an adult and a saint when he is older. It could be the reverse also where a good person may turn bad over a time.

If AI has to maintain quality, then AI should also be trained to understand what is relevant and what is less relevant and what is not relevant, before arriving at the final decision. Hence some form of weightage based on the time of the learning event needs to be part of the  ML process.

“Ability to forget” should be a quality that a good AI should develop and hence has to be one of the ethical principles that needs to be added to the developing set of Naavi’s Ethical Principles of Artificial Intelligence” (NEPAI).

We shall continue our study of all the sets of principles presently available and arrive at our own version in due course.

I welcome contributions from others in developing this set of principles.

Naavi

OPEN FOR DISCUSSION

Naavi has been a pioneer  in conducting Cyber Law Courses online through Cyber Law College which launched its first course way back in 2000.

Now ITA 2000 has completed 20+ years and lot of experience has been built in the market in terms of Court decisions on Section 66A, Section 79, Section 65B of IEA etc. Not all of these decisions have been consistent but Judges have been exercising jurisprudential thoughts on the cases.

There  is therefore a renewed interest in students and lawyer community on Cyber Law Courses.

To ensure that the flow of knowledge in this area continues, Cyberlawcollege.in has re-launched its online course on “Certificate in Cyber Laws”.

The course is online and a set of recorded videos have been provided to cover the ITA 2000 comprehensively. New Videos covering recent developments on Intermediary guidelines and CERT In guidelines have also been added.

We shall add further videos which will cover application of ITA 2000 on Artificial Intelligence,  Meta Verse, Quantum Computing, Blockchain technology etc.

There will be periodical direct Zoom interaction with Naavi so that students can get their doubts clarified. This is therefore a “Hybrid” program with Online and Offline interaction. There will be an online examination followed by Certification.

The objective is to make this course the most comprehensive course available to a knowledge seeking professional.

The Course is presently priced at Rs 6000/- (Inclusive of GST) and could change upwards in future.

Interested persons can register for the course here.

Cyber Law College.in also offers courses on Data Protection which may also be perused on the website cyberlawcollege.in

Colleges and Law firms can contact for bulk discounts. Please spread the word to your friends

Naavi

PS: This post is not related to the area of Cyber Law or Data Privacy which is the professional activity of Naavi. It is linked to the national interest of India and to Information Warfare issues. I donot subscribe to the view that professionals should shy away from commenting on events of public interest and hence as a past Merchant Banker and Investment journalist who maintained a regular column in a national news paper, I consider it my duty to record my views on this subject. …Naavi

The recent Hindenburg report and the consequent developments in the stockmarkets have hurt a large number of investors in India. The stockmarket drop has hurt not only investors in Adani group shares but investors in other shares also. Hence the development is of interest to all investors irrespective of whether they are supporters of Mr Adani or not.

It is tragic to see uninformed politicians speaking about discussion of the issue in the Parliament, setting up of a JPC etc indicating that they have no idea of the stockmarket operations and what is the responsibility of the Government.

Many in the media are also sensationalizing the drop in market capitalization of Adani shares and his notional wealth coming down showing their ignorance that this has no relation to corporate performance and investor interests.

There is a primafacie evidence to suspect that the report is part of a “Anti India Toolkit” similar to the tool kits used by the opposition parties during the farmer’s agitation.

I have therefore requested SEC, USA to conduct an enquiry on the Hindenburg firm and request SEBI to lodge a formal complaint with SEC. I also urge interested public to send similar emails to SEC or raise a petition to initiate action in USA agaisnt the Hindenburg firm.

The copy of the email sent today to SEC at “Chair@sec.gov”  is as follows:

Quote:

Dear Sir

Unquote:

Naavi

In 2013, Naavi had suggested a concept titled “Privacy Protection Zones” as a solution to India not having a Privacy Law but wanting to retain the data processing business.

In 2015, Naavi highlighted this need along with other requirements  for Digital India in a Cyber Law Vision 2018 document.

Subsequently, in 2017, the proposal was re-iterated in the context of a discussion on Data Localization in a conclave in Delhi.

Then in 2020, Naavi again pushed the idea directly to the IT Minister and CM of Karnataka at a time.

Unfortunately, all these suggestions were not acted upon for reasons not known.

The details of these suggestions are available in following documents

1. Article in Naavi.org dated February 9 2013 titled “Privacy Protected Zones Required”
2. An article published on Naavi.org on May 4 2015 titled “Cyber Law Vision 2018”
3.  An article published on Naavi.org on July 16, 2017 titled “Data is Experience”…How Do we confine it?, in which the earlier discussions in a conclave in Delhi on July 14/15 was highlighted.
4. Then on November 8, 2020, sent a letter to the IT Minister in Karnataka, under copy to the CM of Karnataka as well as Mr Tejasvi Surya, MP specifically suggesting formation of a “Data Protection Tech Zone” in Karnataka. (Copy available here)

But I am happy  to note that today’s Economic Times carries an article indicating that the Government of India is considering  a similar proposition  along with the DPDPB 2022 to be presented in the Parliament shortly.

As per the indications provided, the entities may be called “Data Embassies” which will be provided diplomatic  immunity from local regulations.

We need to await more details when the Bill is presented in the Parliament.

Naavi