The Quantum Hub

Authors: Rohit Kumar & Renjini Rajagopalan
Published: November 12, 2019 on Firstpost

At the recently concluded India Mobile Congress 2019, Union Minister Ravi Shankar Prasad spoke about India generating the largest amount of data in the world. Our tryst with technology has led us to being one of the foremost internet using countries in the world. However, the same has not been without consequences.

As with all mediums, the internet too is open to abuse. Social media platforms, with their ever-growing number of patrons, are particularly susceptible. Over the last few years, India has had to battle the spread of doctored images and falsified news which has fueled mob violence across the country, often resulting in the death of innocent people in a number of instances.

The Indian government had sought to crack down on perpetrators by seeking co-operation from dominant social media platforms such as Facebook and Twitter, who in-turn introduced numerous measures including employing fact-checkers to battle fake news. However, with Law Enforcement Agencies (LEAs) struggling to pinpoint the origin of such messages and effect convictions, the government has sought increased accountability from social media platforms, including having them trace senders of the original messages.

This has been strongly protested by platforms who cite encryption technologies (including end-to-end encryption) backing their messaging services, customer privacy, and likely reputational damage, in the event of allowing interception. Therefore in late 2018, the government attempted to compel them into doing so via amendments to intermediary guidelines which govern digital platforms. This had significant ramifications for tech companies since it had the potential to impact their operations, including the tech and encryption algorithms they deploy. While other issues had put these amendments temporarily on hold, a recent Supreme Court order that asked the government to curb social media misuse, has once again thrust the issue of encryption and government interception into national discourse.

Global models for governing the interception of encrypted information

Countries across the globe resort to different ways to intercept encrypted information. Some seek to limit those who use encryption by way of a license, while others might resort to using court warrants. Some might even seek backdoor access i.e. asking for ways or methods to bypass encryption.

Countries such as Russia and China have put in place laws that govern or limit the use of encryption by private companies, thereby allowing the state to maintain supervisory access over all information collected and processed by the companies. Australia’s recently enacted Assistance and Access Act too falls within this bucket. It not only empowers LEA’s to seek (and enforce co-operation) from technology entities to access specific users’ encrypted messages and data, but where companies can’t offer such access due to end-to-end encryption, it authorises them to demand that they build tools to do so.

The sheer variety of such interception models speaks to the unresolved nature of the issue. Even countries such as the US and the UK, while trying to be mindful of privacy concerns, are seeking increased compliance from intermediaries/social media platforms in the interest of national security.

Providing a balanced perspective

Technological innovations guarantee that security solutions like encryption stay a step ahead of any legal framework seeking to regulate it. But having to constantly play catch-up deprives LEAs of a robust and effective mechanism to investigate online offences (particularly urgent ones). Thus, even as we hold privacy and security sacrosanct, it is important to acknowledge the challenges faced by the security apparatus when they are obstructed in the path of a legitimate investigation.

While providing the government with backdoor access poses the risk of government surveillance, there is a case for service providers and LEAs to work together to develop mechanisms and modify technology, as required, to allow for lawful interception requests to be serviced on a case-by-case basis, while building strong safeguards to prevent misuse of this power to intercept.

Currently, interception requests under Indian law can be made to service providers under either the Telegraph Act (Section 5(2) or Rule 419(a)), the IT Act (Section 69), or the CrPC (Section 91), all of which require service providers to comply or suffer punitive measures, including fines and imprisonment. These laws only allow for communication to be intercepted on a set of pre-identified grounds. The chain of command with respect to overseeing interception requests runs the length of the senior law enforcement cadre, before reaching the Home Secretaries.

As another check, the laws also call for the creation of a Review Committee (both at the central and state level) which is required to meet once every two months to analyse, post-facto, every interception order for legitimacy on a number of criteria, including the specific grounds under which the request was raised, the protocol followed for interception, as well as the outcome of the same.

Both the processes followed in an interception — before an interception request is approved and the post-facto review by the Committee — draw flak from civil liberty organisations who cite lack of adequate checks and balances in what is essentially an executive driven process.

To create more safeguards, judicial oversight is often proposed as a solution. However, when it comes to interception, it must be noted that in many instances what is required is an urgent decision to avert a potential threat like a terror attack. In such instances, judicial oversight not only adds another layer to the process, it’s likely to make little difference since the judiciary may be reluctant to object in the light of grave concerns. As for the process followed by the Review Committee, while there is merit in placing yet another judicial member if only to build public faith, it is unlikely to be practically effective unless at least half of the committee is judiciary-based.

In such a scenario, a more effective solution could be channelising all requests for interception through a single platform/interface that is suitably audited at regular intervals to build accountability and transparency in the process. This should be accompanied by the codification of practices and principles of the Review Committee.

Our stakeholder interactions reveal that in each meeting, the Review Committee is tasked with evaluating thousands of cases and often picks a sample of a few hundred cases for deep-dive. To ensure a robust selection of cases for review, the specifics of the entire process should be codified in law. Not only will this bring transparency regarding proceedings it might also prevent arbitrariness in vetting-procedures in the future.

Government interception rests upon an uneasy truce between the government/LEA, private companies and civil society activists, and given our overwhelming reliance on data, it is important to achieve a proper balance between privacy and national security. A robust and more transparent interception system might be the solution to this conundrum.

Author: Chinmay Rayarikar
Published: June 17, 2020 on the Property Rights Research Consortium

It is often said that cinema is a mirror to the society that it thrives in. The recently released film Gulabo Sitabo, directed by Shoojit Sircar with Amitabh Bachchan and Ayushmann Khurrana in the lead, is a brilliant comedic take on the state of our property records. The very first Bollywood film to premiere entirely online; the film’s trailer created much buzz around Amitabh Bachchan’s look and the on-screen presence of the bickering duo, an elderly landlord Mirza (Bachchan) and one of his young tenants, Baankey (Khurrana).

The film is centred around the life of 78-year-old Mirza and his wife Fatima. Fatima, who is 17 years older than Mirza, is the owner of the ancient haveli in Lucknow that they live in. Fatima has let several tenants live in the haveli’s vast expanse, for rents that are next to nothing. Despite this, Baankey and his family, which consists of his three younger sisters and mother, refuse to pay their rent, partly due to their poor financial condition, and partly because of the poor condition of their living quarters. Fatima is seemingly on her deathbed, and Mirza is impatiently waiting for her to pass away so that he can inherit the haveli and evict all his troublesome tenants. As his impatience grows, Mirza goes to a lawyer to see whether he can use legal provisions to evict the tenants from the haveli.

At the lawyer’s, Mirza discovers that the haveli has been handed down to Fatima by her father without any formal document confirming her inheritance. This leads to a wild chase all over Uttar Pradesh, as Mirza tries to track down all of Fatima’s living relatives and asking them to formally give up their claim to the haveli. On the other hand, Baankey talks to government officials from the archaeology department, who discover that the haveli is worthy of being designated a historical monument. Humour and confusion ensue, as both Mirza and Baankey try to outwit each other in different ways to retain control. Sharing more would lead to spoilers but the film has all sorts of characters usually associated with transfer of land and property in India, from corrupt politicians to real estate developers, disgruntled tenants to unscrupulous middlemen.

This film joins a league of handful (but brilliantly narrated) Bollywood films that have touched upon the issue of land ownership, tenancy, confusion between land authorities and landlessness: issues that Indian citizens are all too familiar with and have internalized to an extent that these movies are not always tragedies! These movies have managed to be laughing riots or found space for romance and relationships, even as they were set amidst land disputes, which are usually the most stressful times of Indian adult lives. In this blog, we peek into Bollywood’s narration of contemporary land and property rights related issues through three other films that have used these plotlines in the past!

Do Bigha Zamin: Bimal Roy’s Do Bigha Zamin (1953) is a classic, critically acclaimed film which follows the life of a humble villager, Shambu Mahato, played by Balraj Sahni, and his family as they try to fend off a local landlord from taking their land to build a mill. Shambhu owns two bighas of land (around two-thirds of an acre), which sit right in the middle of the land owned by the local zamindar, Harnam Singh, played by Murad. Singh wishes to acquire Shambu’s land, but on being refused by Shambu, decides to take him to court based on the money that Shambu had borrowed from Singh, which he had been unable to pay back. Shambhu is given three months to pay back his debt, or risk losing his land to Singh as collateral. In portraying this story, the film touches upon the ruthless cycle of debt that the rural poor in India face. For many Indian households, the most significant assets are held in the form of land and housing. The threat to these assets and the livelihoods of these households by powerful, vested interests continues to be a horrifying reality in rural India, which is why this film from the early 1950s, continues to resonate even today.

Khosla ka Ghosla: One of the most popular ‘modern’ films on this theme, Khosla Ka Ghosla (2006), upon its release, became an immediate hit with viewers and critics alike. This film follows the exploits of Kamal Khosla (Anupam Kher) and his family, who find their ‘dream’ plot of land, bought with Kamal’s hard-earned money, only to be encroached upon by the corrupt Kishan Khurana (Boman Irani), the leader of a local property-usurping criminal gang in Delhi. With the Khosla family getting tangled in a series of hilarious events as they deviously plan to remove the squatter i.e. Khurana, from their rightfully owned property, the film manages to weave a narrative on issues which hit a chord with most middle-class urban families. From showcasing a family’s struggle to buy and own property, to dealing with land mafia and legal disputes over property ownership, and finally taking the story to a happy ending with a good old solution of Indian jugaad, the film’s captured the lived experiences of most home buyers in urban India. Let’s hope things improve for the better as the Real Estate (Regulation and Development) Act, 2016 starts to take root. 

Love Per Square Foot: Released exclusively on the online streaming platform, Netflix, Love Per Square Foot (2018) is a film directed by Anand Tiwari, which humanizes the many challenges surrounding real estate in Mumbai. The film shares the story of two millennials, Sanjay (Vicky Kaushal) and Karina (Angira Dhar), both of whom belong to lower-middle class families in Mumbai and dream of owning their own apartment. Through scenes which show Sanjay’s mother banging on the bathroom door while he reads a newspaper on the pot, or the ones that show plaster peeling off the ceilings at Karina’s crumbling house, the film manages to beautifully capture the reality of the millions of youngsters in Mumbai, who live in crammed houses and travel in jam-packed local trains but dream of having their own space someday. The film follows a comical set of events as Sanjay and Karina decide to con the state government’s system by entering a marriage of convenience to buy a house under a subsidized housing scheme meant for married couples. Affordable housing is a huge challenge in India’s mega cities, this film unknowingly puts a spotlight on the bureaucratic hurdles that exist even in the schemes that are launched to address this problem. Not to mention an unintentional commentary on the lack of state capacity to administer these affordable housing schemes with numerous onerous conditions.

In a country where countless people own no land, or have insecure access to land and housing, it is inevitable that these issues get reflected in films. At the centre of these films, characters are portrayed as going to any lengths to keep their land or homes from being taken over or to accumulate new land or build a new home. Stories of property disputes from a landlord-tenant dispute to conflicts over rightful ownership, or even the humbling desperation of an individual to own a property in their name, are so commonplace, that nearly everyone relates to them. However next time you watch a movie with a similar storyline, do remember that behind all the glitz, glamour and light-hearted humour of these films, lies the all too familiar tragedy of a broken land governance system.

Author: Deepro Guha
Published: August 06, 2020 on Firstpost

“Today, data is the real wealth and it is being said that whoever acquires and controls the data will have hegemony in the future. The global flow of data is creating big opportunities as well as challenges.” These words were spoken by the Prime Minister of India during his speech at the World Economic Conference, 2018, perhaps an indication of the regulatory proposals in the offing. 50 crore Indians, over and above the current 45 crore, are expected to come online for the first time by 2022. Internet traffic in India is expected to rise to 78 exabytes (an exabyte equals a million terabytes) by 2021.

This exponential rise in the quantum of data generated in India would potentially create conditions for a thriving data market that can further be leveraged for the creation of new business opportunities, new forms of employment, evidence-based governance solutions, social welfare interventions etc.

In this context, the regulatory control of data is right up the list of policy priorities of the government. Regulation of data can be viewed from various prisms and policy objectives — privacy, national security, competition, ownership and innovation. Some of these objectives run counter to each other and there are several trade-offs that the government needs to make.

Current laws and policies

Currently, the laws in place for regulation of data is bare bones, with Section 43 of the Information Technology Act providing for basic norms of reasonable security practices during handling of data and punishments for contravention of the same. To further the scope of data regulation, the Government of India has been working on the Personal Data Protection Bill (PDP Bill) for regulation of personal data, formed a committee to advise on regulation of non-personal data and also touched upon data regulation in sector specific policies/laws such as the draft E-Commerce Policy, draft Digital Information Security in Healthcare Act (DISHA), RBI regulations for financial data etc.

While data regulation becoming a policy priority in India is very much in line with government action around the world, the Indian government’s approach can be described as haphazard and even overzealous.

Proposed regulators

Of the above-mentioned policy proposals, three proposed regulators are especially headed towards a collision course as they regulate the entire data economy. The first is the proposed Data Protection Authority (DPA) under the PDP Bill, which would be instituted with the objective of protecting personal data. Its jurisdiction would cover regulation of rights of data principals (those people who data pertains to), sharing of data, consent, cross-border transfer of data, roles and responsibilities of data fiduciaries (entity which collects the data) and data processors, mechanisms like data audits, classification of data fiduciaries etc. Thus the DPA is envisaged as a regulator looking at privacy as well as national security concerns.

Second, the report of the Expert Committee on Non-Personal Data (NPD report) has suggested the setting up of a Non-Personal Data Authority (NPDA), with the objective of facilitating sharing of non-personal data between entities who hold a large amount of data and Indian start-ups and other entities to build new products. Its jurisdiction would cover adjudication of data sharing requests, anonymisation of data among other things. Thus, the NPDA is envisaged as a regulator looking at unlocking economic benefits and ensuring smooth functioning of a ‘data market’.

Third, the leaked draft National E-Commerce Policy 2020 mentions setting up an institution of an e-commerce regulator which would ensure “fair competition, consumer protection (to the extent not covered by Consumer Protection Act) and handling of e-commerce related data issues”. However, the way this policy defines ‘e-commerce’ is in a manner that is used interchangeably with ‘digital economy’ which makes its reach as vast as the reach of the above-mentioned regulators covering the entire ambit of data-driven entities.

Regulatory confusion

These three proposed regulators with powers to govern data across industries in addition to sectoral regulators risk forming a regulatory cobweb, stifling innovation in data led businesses and increasing their compliance costs. The significant overlap in their powers and jurisdiction is even more concerning when one delves deeper into each of these proposals and examines some key proposals.

The first major problem is the definition of ‘non-personal data’. Non-personal data according to the NPD report is currently defined as any data which is not personal. Both technical and legal experts are uncomfortable with this definition.

While many technical experts contend that any level of anonymisation isn’t a foolproof guarantee against reverse engineering of data, legal experts contend that as collection and processing of data is a complex process often with no clear dividing lines between types of data, such an expansive definition is bound to create jurisdictional confusion between DPA and NPDA.

Additionally, while anonymised data is considered to be non-personal and thus ideally regulated by the NPDA, the NPD report’s recommendation of adding explicit consent provisions for anonymisation under the PDP Bill as well as Clause 82 of the PDP Bill providing for penalties for re-identification of anonymised data, could bring anonymised data under the jurisdiction of DPA as well.

Another source of confusion may be the definition of ‘data businesses’ (in the NPD report), as this bears a striking resemblance to the definition of ‘significant data fiduciary’ (SDF) in the PDP Bill. Both these terms are based on quantum of data collection thresholds, but these standards may be different in each case as they are decided by different authorities.

Similarly, confusion may occur between the proposed e-commerce regulator and the DPA, both of which are envisaged to have powers to define rules for cross border sharing of data.

To add to this puzzle, powers of proposed non-regulatory bodies such as ‘data trustees’, as suggested by the NPD report, also seem to clash with powers of the regulators. A ‘data trustee’ is proposed to be responsible for protection and enforcement of data rights of a community. The NPD report mentions that data trustees may have powers to order mandatory sharing of data, which could encroach on the regulator’s power to adjudicate on such requests.

Thus, with all the above proposals, it is safe to say that we are headed into a regulatory quagmire which can be a huge impediment for data driven businesses. While, prima facie, some of these proposals do mention that the regulatory scope will be well defined to avoid confusion, clarity will continue to elude unless ambiguity over some of the key definitions is resolved.

In its attempt to extract the maximum value from the data economy, the government must resist the temptation to be overzealous in regulation. An overtly complex regulatory structure can impede innovation, eroding the benefits of the data ecosystem that the government sought to reap in the first place.