New Site search with Chat GPT included

After the failure of using word press applications for AI chatbots, I have now added the Bing Site search to this site through the menu link.

This provides site search along with  Chatbot automatically in the right top corner of the search page.

I hope this would be useful to the visitors of the website.

Naavi

Posted in Cyber Law | Leave a comment

Experimenting with AI chat bot.. Disclaimer

Dear Visitors

I am trying to experiment with a Chatbot on the website of Naavi.org. This is a word press plug in. 

I have found that answers provided by the Chatbot may be incorrect.

This is an experiment and Naavi shall not be responsible for any erroneous information provided by the Chatbot.

Naavi

P.S: After 24 hours of testing, I have found that the Chatbot provides consistently incorrect answers and hence I have disabled it.

Hope to see a better solution in future.

Naavi

25/2/2023

 

Posted in Cyber Law | Leave a comment

Artificial Intelligence Regulation is already implied in ITA 2000 and DPDPB 2022

While we wait for a new law to be framed for AI regulation in India, we understand that it would take time.

However, Indian law is so designed that AI regulation can be implead through ITA 2000 through Section 11 and concept of Due Diligence along with the definition of Automated processing under DPDPB 2022.

Listen to more details here from Naavi

Posted in Cyber Law | Leave a comment

The RRR saga… and Suppression of information on suspected Cognizable offence

[PS: This post is slightly off-topic. It is posted as a reflection of a responsible citizen from Karnataka unhappy with the developments.  Ignore if you donot consider it relevant for you]

In the Rohini-Roopa-Ravi discussion that is  raging in Karnataka, there is an allegation by a responsible  Police officer, D Roopa who is also well known as a crusader against corruption which appears to be deliberately not being attended to promptly by the Government.

The allegation is against another official namely Rohini and covers possible

a) Corruption in possessing assets beyond known sources of income

b) Sending of obscene information in electronic form to senior IAS officers

c) Enticing officials for soliciting favours for personal family benefit in real estate business

It is not clear whether these charges will stand the test of investigation. We are in no position to state except that these are the allegations to be investigated and proven.

But  there is a prima facie reason based on circumstantial evidence to believe that the allegations could be true.

It is also clear that though the Government had the CBI report on D K Ravi suicide which was reasonably incriminating and also complaint from Mrs D Roopa on hand, the Government of Karnataka chose to remain silent. This  indicated that it had no intention of conducting any investigation and would prefer the controversy to die down on its own.

On the other hand, the Government went on to transfer the two officials and also issue instructions to gag them not to carry on any further discussions on the issue in the social media.

It also appears that Mrs Rohini has now approached the Court to ensure that no discussions shall be published in the media.

Given the fact that there is  prima facie evidence, it is not clear how the Government can suppress some body with knowledge of a cognizable offence not to push for justice and if the Government does not respond to the complaint in time, how the person can be restricted not to seek other measures to ensure that the matter is taken to investigation.

Hypothetically, if the allegation made is true, then there is a serious conspiratorial modus operandi of the accused subjecting officials into a honey trap only to derive financial benefit. This is too big an allegation to be hidden under the carpet. If the allegation is not proven, it is open to the accused to take necessary counter action.

It is immaterial that there could be service rule violations when public interest  over rides the service rule restrictions.

If the allegation is to be brushed under the carpet, it would mean that there are political vested interests who want to support the accused.

We have always been suggesting that there is a duty on a citizen who observes a cognizable offence to bring it to the knowledge of the law enforcement even if the complainant/observer may not have complete evidence of the same. It is the duty of the Police to find the evidence and not that of the complainant. If the complaint is irresponsible, it is open to the accused to take counter action against defamation.

The developments so far has put the Government in a bad light showing some hidden hand that is trying to suppress further investigation for whatever reason they think fit.

I wish the Court also does not set a bad precedent by gagging the media from bringing out the truth behind the suicide of D K Ravi, the truth behind the “Deleted pictures”, the truth behind the “posh house under construction” etc.

Let us get the truth out whoever is correct. This is the spirit with which Naavi.org has been working in the Cyber Crime area and there is no reason why we should not hold our principles in the current RRR case.

Apart from the question ” Is there a duty to a citizen to report an observed cyber crime” for which an answer can come in the incident,  there is also a small link to the privacy issue whether confidential information from personal messages can be used either for self defence or in public interest for producing evidence of suspected crime.

Naavi

Posted in Cyber Law | Leave a comment

Is Privacy Impossible in Metaverse?

The above article titled “New Research suggests that Privacy in the metaverse might be impossible” is an interesting information that suggests how “Motion data” can be analyzed with AI to identify the avatars on a Meta Verse site.

The study suggests that after analyzing more than 2.5 million VR data recordings from more than 50000 players of “Beat Saber app” it was found that individual users could be uniquely identified with more than 94% accuracy using only 100 seconds of motion data. Nearly 50% of the users were identified within 2 secs of motion data using innovative AI techniques using only three spatial points for each user tracked over a time.

While the findings of the study may be accepted as correct,  it still requires the acquisition of motion data over a period of time which only the platform owner may be able to do or some body who is stalking the Meta Verse avatar with a sophisticated software.

However, I donot think this is some thing to be surprised about. Every pseudonymisation or Anonymisation is like encryption. It is done with some degree of efficiency which can always be beaten by use of the right kind of effort and technology.

While the study itself suggests some technology measures, perhaps some measures can be used to pseudonymize the motion data itself by introducing a modification of the real motion data.

What we can however recognize is that “attempting” identification of pseudonymization data whether successful or otherwise is an offence under ITA 2000 (Section 66) and is also a contravention of Section 43. Presently the victim can claim compensation through an adjudication system and also initiate prosecution by the Police for a 3 year imprisonment. The offence is cognizable.

Under Section 66, “Diminishing the Value of Information residing inside a computer resource” is an offence. A Pseudonymized avatar is an electronic information whose value will be diminished on identification. Hence such an activity becomes an offence under Section 66 and Section 43….Naavi

Every Metaverse platform is an “Intermediary” under ITA 200 and even if they are established outside the country, they are bound by the laws of India.

While I cannot comment on the effectiveness of any law enforcement measure to bring foreign websites under Indian law compliance other than blocking them from India, law has the necessary provision.

Hopefully Privacy Protection can only go thus far and no further. But if it is possible to use  “VR pseudonymization” at the control of the user, then it is possible to provide better Privacy protection.

It may surprise many to know that Indian law in the form of ITA 2000 has a solution even for this. Under the current provisions of the law, the MeitY can notify a “Due Diligence” requirement that can force the Meta Verse platform to introduce an effective “Avatar Creation” which includes pseudonymization of the motion data.

If MeitY can recognize this, perhaps it can issue a notification similar to what has already been issued for Cyber Cafes and Matrimonial Websites.

Naavi

Posted in Cyber Law | Leave a comment

“Personal Digital Age” needs to be given a legal recognition

Information Technology Act 2000 (ITA 2000) defined Electronic Document as a “Binary Expression” and legally recognized a definition for  “Document in Electronic Form”.  It provided a legal recognition making such documents  as equivalent to “Paper documents”. Simultaneously the “Digital  Signature” and “Electronic Signature” were also defined and provided legal recognition. Even the “Computer”, “Computer Network” etc were provided legal definitions as devices that store and process binary expressions.

However, when it came to defining “Digital Contracts” though the electronic form of offer and acceptance were defined. the basic definition of “When does an agreement become a contract”, “What is the contractual capacity” etc were adopted from the Indian Contract Act.

Hence any contract entered into on the Digital space by a person with a physical age of less than 18 years( 21 years if a legal guardian has been appointed earlier) were voidable contracts.  The law did not provide any thought to the impossibility of determining the age of a person in a digital communication.

Though ITA 2000 made “Digital/Electronic Signature” mandatory and therefore any person without a valid digital certificate issued by a Registered Certifying authority cannot enter into a valid digital contract equivalent to a signed contract, the possibility of “Deemed Contract” is possible and is being widely used in all online “Click-Wrap” agreements.

When the Data Protection Act was introduced, the concept of “Consent” was also based on the definition of contract under the Contract Act and hence could not escape the need for a valid signature.

When “Nomination” was suggested in PDPB 2019 and DPDPB 2022, we therefore flagged the Jurisprudential point that a “Will” not being recognized under ITA 2000 and a “Contract” getting automatically extinguished on the death of a person required a paper written will for nominating a transfer of a digital asset on the death of a person.

However the problem of switching the consent from the parent to the erstwhile minor without a discontinuity of service at the stroke of a minor attaining the age of 18 years remained a problem.

Further one could argue that if a person is born at say 09.22 hours on 20th February 2004, then he would attain majority at 09.22 hrs on 20th February 2022 and not at the stroke of the midnight on 20th February 2022.

Additionally the problem of age verification becomes a challenge to every contractual transaction on the Internet. In the early days of Internet, the industry used to ask for credit card ownership as an indicator of adult hood. But with the current risks of credit card frauds, it is not possible to ask for credit card numbers or a nominal debit of Rs 1 etc to verify the age of a person.

In 2005, I had suggested an issue of “Adult Pass” for Pornographic websites (Refer this article: What is an adult pass?) . Recently it was pointed out that France is likely to adopt this thought and issue “Pornographic Passports”. Such documents provide an assurance of age which can be used for allowing entry to adult websites .

In India we already have the system of “Aadhar” which can be also used as an authentication of age. UIDAI can issue on request an “Adult” certificate. Since “Minors” also carry Aadhaar ID along with the Parental Aadhaar ID, we have a ready infrastructure to make UIDAI confirm whether a person is a minor or a major and if he or she is a minor, who should be considered as a “Valid Parent” to provide consent. We can leave it to the UIDAI authority to sort out special cases of single parents, divorced parents, surrogate parents etc so that the digital service provider will simply accept the UIDAI certificate of “Majority” or “Minority” as a valid document for his services.

This service can be introduced by UIDAI immediately and I urge them to do so.

Personal Digital Age

This apart, I am today raising another fundamental philosophical issue of what should be considered as the right age at which a person digitally transforms from a minor to a major for his Internet/digital activities.

Today we debate if under Privacy laws we should consider recognizing “Consent giving powers” to a person of 16 years of age or 13 years of age etc., and argue that a person of that age has the necessary maturity.

But it is difficult to link any physical age to digital maturity. If we accept that today’s younger generation are more computer savvy and hence they should attain “Digital Maturity” earlier than 18 years, the same argument can make a senior citizen as a person below the “Digital Maturity Age”.

Hence determining the “Digital Maturity Age” or “Personal Digital Minority” on the basis of physical age is completely unacceptable since it would be like comparing apples to mangoes.

We need to therefore find a way for finding out the “Digital Personal Age” of a person and incorporate it into the legal definitions.

For example, I took my first birth in the Internet when I got my first E-Mail ID from vsnl.com namely naavi@vsnl.com. This happened some time in 1994-95 and I need to dig into the old records to find out the date when I registered my VSNL account. Since then, I have been using different email accounts  of yahoo.com etc and now the gmail.com and other emails.

Though I might have started using computers earlier to the day of obtaining the digital email ID, I consider that I was digitally born on the  Internet with a unique ID when my first e-mail account was created. Can this be considered as a basis of “Digital Age”?

This means that every person can get a certificate of first creation of an email from any service provider which can be confirmed by some authority and that can be taken as the digital birth certificate.

Once this principle is established, determining whether digital maturity should be considered after 5 years, 10 years or any other time can be easy to determine.

I am therefore placing two suggestions through this article

  1. UIDAI to introduce a physical age certificate with parental tag for minors
  2. E-Mail service providers to introduce the first date of creation as a certificate on request subject to declaration of details such as name etc.

This system would be far better than simply using a self declaration “I am above 18 years of age” in the online contract creating documents or making special arrangement for verifying the age through supplementary enquiry etc.

I am sure that very soon we will have a reasonably acceptable AI algorithms that can assess the digital maturity and if a regulatory authority accredits different AI algorithms like they accredit the digital certificate issuing authorities, then the AI algorithm could make an assessment of “Digital Maturity Age” like we do in the case of Psychometric tests for identifying the mental age and IQ and use it for issue of “Digital Adulthood”.

I am aware that these are the first thoughts that have been floated for other professionals and regulators to consider. I hope unlike my other thoughts (eg: Adult pass) which took 15 to 20 years to get accepted  by the community the above suggestions will have a mush shorter gestation period.

Your views are welcome.

Naavi

P.S: It is interesting to note that some organizations (eg: Infosys) have developed a Digital quotient  through which they try to objectively represent the maturity of their employees in the employment scenario. This parameter is used to determine the “Halflife” of the employees and how quickly their knowledge becomes obsolescent. In a way this is a model of “Depreciation of the financial value of the human capital”.

The Digital maturity from the Internet contracting perspective can use some of the parameters that have been identified for determining the Digital Quotient of employees.

There is also the “Digital Maturity of an organization” which is built into the Quality systems which is different.

What we are now discussing is the “Personal Internet maturity for the purpose of determining the right digital cut off for identifying digital minors from digital majors”

Our concept is simply based on the efflux of time after a person was digitally born and is not linked to an evaluation of his skill sets as is used in the Digital Quotient of employees or the Digital Maturity of an organization. Just as every adult above 18 years is not equally intelligent even under our concept of a “Personal Digital Adult”, there may be difference in the intelligence levels of different persons. But if our physical society including adult franchise is based simply on efflux of time, perhaps it becomes relevant even in the  digital society. If we were prepared to model our adult franchise on the basis of qualifications, then there would be an argument for determining the digital adulthood also on the basis of the skills of a Netizen. Skills are relevant for employment but may not be for online contracts for e-commerce or privacy permissions.

Probably we need to discuss this more in the coming days.

Naavi

[COMMENTS ARE WELCOME]

 

Posted in Cyber Law | Leave a comment