Naavi.org

In 2013, Naavi had suggested a concept titled “Privacy Protection Zones” as a solution to India not having a Privacy Law but wanting to retain the data processing business.

In 2015, Naavi highlighted this need along with other requirements  for Digital India in a Cyber Law Vision 2018 document.

Subsequently, in 2017, the proposal was re-iterated in the context of a discussion on Data Localization in a conclave in Delhi.

Then in 2020, Naavi again pushed the idea directly to the IT Minister and CM of Karnataka at a time.

Unfortunately, all these suggestions were not acted upon for reasons not known.

The details of these suggestions are available in following documents

1. Article in Naavi.org dated February 9 2013 titled “Privacy Protected Zones Required”
2. An article published on Naavi.org on May 4 2015 titled “Cyber Law Vision 2018”
3.  An article published on Naavi.org on July 16, 2017 titled “Data is Experience”…How Do we confine it?, in which the earlier discussions in a conclave in Delhi on July 14/15 was highlighted.
4. Then on November 8, 2020, sent a letter to the IT Minister in Karnataka, under copy to the CM of Karnataka as well as Mr Tejasvi Surya, MP specifically suggesting formation of a “Data Protection Tech Zone” in Karnataka. (Copy available here)

But I am happy  to note that today’s Economic Times carries an article indicating that the Government of India is considering  a similar proposition  along with the DPDPB 2022 to be presented in the Parliament shortly.

As per the indications provided, the entities may be called “Data Embassies” which will be provided diplomatic  immunity from local regulations.

We need to await more details when the Bill is presented in the Parliament.

Naavi

The budget speech of the Finance Minister Mrs Nirmala Seetaraman yesterday highlighted a project investment proposal to create three centers of excellence for Artificial Intelligence to be established in leading educational institutions to realize the objective of “Make AI in India and Make AI work for India”.

Refer article in the420.in

The AI project has multiple dimensions such as

a) AI research for developing Indian capabilities in developing Artificial Super Intelligence as a progressive scientific development.

b) Development of AI for Military and Law enforcement use

c) Development of AI for industrial/Business applications

d) Preventing AI from being developed as a threat to human race

e) Prevention of the use for anti-India activities.

We recognize that future development of AI will have serious impact on the national security and the research activities of these centers would have to be monitored properly and a selection criteria developed to approve projects like approving a project for nuclear research.

Hence before the Government starts funding AI development it has to ensure that an Inter ministerial committee involving MeitY, MHA, PMO are involved in setting the appropriate criteria to select eligible institutions as well as eligible persons to work in such institutions.

It is possible that such institutions will be immediately penetrated by anti-India forces  so that they can spy on the developments.

Hence  we need to develop a negative list of Universities which should not receive this funding. There are many other institutions which should be kept out of the eligibility criteria.

Secondly the individuals who work in these institutions such as the professors need to be carefully chosen with a proper background verification, failing which undesirable interests may usurp the key
positions.

The people selected should be  provided all incentives and protections to ensure that they remain loyal to national interests.

These centers should also be the places where we develop the principles of AI regulation starting with

a) Issue of AI development license

b) Need to incorporate AI development license ID in the set of codes developed

c) Adherence to the accepted ethical principles including documentation

Without accountability and Transparency, no activity should be supported in educational institutions with or without Government funding.

I hope these are incorporated immediately in the guidelines that may be developed during the debate on the proposals.

Naavi

Created by Dalle-E

It is a common idiom to say “Set a thief to catch a thief”. A modified version of this phrase in the ChatGPT era is “Set AI to Catch AI”.

GPTzero.me  is the new tool that has emerged to detect if any text has been generated by ChatGPT or similar AI and not by a human. This tool is developed to help educators to detect if AI has been used to generate text responses in essays and assignments. Just like the “Plagiarism” detection tool, this tool checks the text and identifies the possibility of a text having been generated by an AI.

At first glance it appears to be working reasonably fine and it generates an “Average Perplexity Score” ) measurement of randomness of the text) for the subject text and highlights possible portions generated by AI. Another score called the “Burstiness Score” measures the variation in perplexity.

The product could be useful to preserve the integrity of the education evaluation system as we use today though we need to re-work on our assessment systems soon.

Naavi

DPDPB 2022 is a bill that is expected to come for discussion in the current Budget Session.

According to Section 11.1 of the Bill,

The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including:

a. the volume and sensitivity of personal data processed;

b. risk of harm to the Data Principal;

c. potential impact on the sovereignty and integrity of India;

d. risk to electoral democracy;

e. security of the State;

f. public order; and

g. such other factors as it may consider necessary;

We are now exploring how India could regulate the adverse impact of Artificial Intelligence, Meta Verse usage and Neuro Technology Developments.

While a separate law or an exclusive handling of these areas under the revised ITA 2000, could be an option available to the Government, we should now also consider if the AI/MetaVerse/Neuro technology companies can be declared as “Significant Data Fiduciaries” since they handle unknown risks to a data principal and could also cause risk to electoral democracy, public order etc.

Once such companies are brought under the regulation of the Data Protection Board, the rules can take care of the first draft of the “Artificial Intelligence Regulation”.

The first few aspects of this law could be

a) Creation of a set of Registered AI developers who agree to follow an ethical path to development

b) Providing a unique ID to the registered AI developers

c) Encourage following of a Self Regulatory Code of Conduct for the members

d) Take such steps as are required to ensure that development of AI shall at all times remain within the boundaries of human welfare.

While we urge the Government to take necessary action in this regard, I propose that organizations like FDPPI should start a sub group as Foundation of Emerging Technology Professionals in India and start working on a draft regulation in the background.

Naavi

For some time now Naavi has been highlighting the dangers of AI and the possibility of an existential threat to the human society because of the Artificial Super Intelligence which can learn from its own observations and correct itself without the assistance of a human developer.

Mr Elon Musk has been the Co-owner of ChatGPT and his company Neuralink is also actively into Neuro Technology both of which in combination could be a real danger to the human race.

The only response that we can think of now is to start introducing some regulation of AI so that the interests of the society are preserved.

UNESCO has suggested a model regulatory guideline and EU has already developed a draft AI Act. Additionally many ethical guidelines are being discussed by interested persons.

Naavi believes that there is a need to seriously work on a draft AI regulation in India which will bring AI development under some sort of control so that the future of humanity is preserved.

The challenges to this are many. We have just gone through a similar problem in “Crypto Currencies” and appear to have finally found a solution. After 10 years of struggle we have decided to preserve  the technology of Block Chain and Crypto Currency by accepting the CBDC, a Crypto Currency  controlled only by the Central Bank of the country, while all private Crypto Currencies would be considered illegal.

We have a similar requirement in the AI development to ensure that there is a tracking of the development of AI so that private companies or individuals would not secretly weaponize AI.

The architecture for such a regulatory environment needs to be developed. Some thoughts in this regard are as follows.

1. The Government needs to be the leader and should create a “Artificial Intelligence Authority of India”.  (AIAI).
2.  AIAI should register any developer or a development Company which develops AI algorithms under a commonly agreed definition of AI.
3.  We can define AI like the following…

“Artificial Intelligence system  is a Computer environment consisting of hardware and/or software that may perform  tasks  involving automated processing and decision making based on an ability to observe the surroundings , perceive human like experience and improve its decision making through continuous learning” 

In due course , we may further refine this definition to cover “Artificial Narrow intelligence” (ANI) which has the ability to work in a pre-defined area only, “Artificial General Intelligence” which is capable of working in many areas and “Artificial Super Intelligence” (ASI) which can not only work in multiple domains but also capable of problem solving and decision making in areas in which it has not been previously trained.

4. All Registered AI developers and Development Companies should be provided with a unique AI developer ID linked to Aadhaar or PAN Card or such other acceptable reference documents.

5. Every set of Source Code falling in the area of AI should include in the source Code the ID of the developer.

6. The AI software code should be out of the IPR or considered as under “Compulsory Licensing” in view of its importance to the existence of human race.

7. Certain pre-defined Source Code identified as “Sensitive” or “Critical” may be  mandatorily escrowed with the AIAI.

8. The registered developers may be the persons through whom any ethical principles could be implemented.

There is no doubt that there will be a serious opposition to the above  suggestions from the industry as “Curbing” innovation. But when we think deeply, this would be like the mandatory “Driving License” system which the society has adopted.

It is only when we realize the dangers of AI and its ability to take over the world one can appreciate why such regulation may be required before it is too late. It is possible that such a regulation may not be 100% effective and many unauthorized AI algorithms may continue to be developed and used by unscrupulous entities. But just as we try to regulate malware or obscenity though with very little success, it is necessary to have a regulation so that at least the law abiding developers can create their own domain and distinguish from the unregulated domain just as how the Dark Web may c0-exist at present with the Internet.

This effort should start with the formation of a willing community of companies who start a voluntary group of “Law Compliant AI Developers” and gradually expand it into an All India association of Ethical AI Developers.

One of the suggestions Mr Elon Musk has made is that there should be a democratization of AI development. I donot know what exactly is his thought process when he calls for a “Democratization of AI development”. Perhaps it is an extension of the “Open Source development” or like the “Public Block Chain” where there is transparency in the process of development. May be there is some similarity between his his suggestion and what I am trying to suggest above on the lines of “Copyleft” concept.

Views and suggestions  are welcome. These are very preliminary thoughts and are floated as seeds for other thoughts to sprout.

Naavi

Naavi has been advocating a Data Protection Compliance Framework for organizations to follow as a replacement of international frameworks like ISMS under ISO 27001/27701 etc., without diluting the requirements of these frameworks but enhancing them to many new Governance related issues. In a way, the DPCMS advocated by Naavi/FDPPI was a Data Governance Model which included Data Protection as a part of Governance.

On the other hand, the other popular systems started with different objectives and had to introduce new supplementary frameworks to bring it in alignment to the corporate requirements to retain their relevance.

For example, quality management systems had to be upgraded to security management systems and security management systems had to be upgraded to cover Privacy issues, Privacy Management systems for one jurisdiction had to be supplemented with requirements for another jurisdiction etc.

Hence compliance today has become complicated and if it has to be certified then multiple frameworks need to be complied with and documented.

If we look at  PDP-CMS, the Personal Data Protection Compliance Management System which is built on PDP-CSI, or Personal Data Protection Compliance Standard of India, the framework presents itself as a “Unified Framework” that can be applied across jurisdictions as it is focussed on “Compliance” of a given law.

The reason why PDP-CMS is flexible is that it is not limiting itself to the “Security” aspect only but goes onto being a “Governance” model.

For example, the PDP-CMS comes with 50 Model implementation Specifications. Of these 20 are directly related to IT systems. 15 of the specifications are related to Management and another 9 to the DPO while 2 are for legal and 4 for HR requirements.

It may be therefore appropriate to consider PDP-CMS as a Governance model with a focus on Compliance of a given Data Protection Law.

The futuristic concepts that has been used in PDP-CMS and guided by PDP-CSI, include

a) Distributed Responsibility

b) Data Valuation and Accounting

c) Senior Executive development

d) Communication Management

e) Business Associate Approval

f) Regulatory Agency relationship

g) Augmented Whistle blower system

h) Grievance Redressal System

These are more “Governance Requirements” than IS requirements.

The visionary nature of PDP-CMS is evident in the fact that some of these requirements are now getting highlighted by experts as requirements for implementation.

Hopefully the  inherent strength of PDP-CMS will gain more recognition in the industry in the days to come.

Naavi