WhatsApp’s Privacy Policy Gets the Stamp of the Delhi High Court

On August 25 2016, WhatsApp fundamentally changed its privacy policy in a manner that threatened to undermine privacy. In our previous post, we had explained how these changes allow WhatsApp to share account information (such as user’s phone number, contacts and profile picture etc.) with Facebook and other group companies compromising privacy of users. While user communication remains encrypted and secure, account information such as phone numbers, contacts etc. which are regarded by many as personally identifiable information may be shared.

A public interest litigation was filed before the Delhi High Court challenging the privacy policy on the grounds that it violated the fundamental right to privacy of users. On September 23 2016, the Delhi High approved this policy with some caveats (the High Court judgement can be accessed here).

In response to the contention of petitioners, the court noted that users of WhatsApp have ‘voluntarily’ availed of that service and are parties to a private contract. Further, the court noted some provisions of the 2012 WhatsApp privacy policy while arriving at this conclusion. First, the policy provided that by using WhatsApp the user’s consent to transferring the data to the United States and subjecting the transfer to laws of California. Second, it also specified that in case of a merger, WhatsApp reserves the right to transfer information collected by users. Looking at these to clauses, the Court said that the users cannot now argue that WhatsApp ought to be “compelled to continue the same terms and services”.

The court also dismissed the argument that the change violated the right to privacy emanating from Article 21 of the Constitution. It held that “the position regarding the existence of the fundamental right to privacy is yet to be authoritatively decided” referring to the matter referred to the constitutional bench of the Supreme Court. Consequently, the court dismissed the many challenges to the privacy policy albeit with some caveats. First, the court ordered WhatsApp to delete all user information/data/details for such users who completely delete WhatsApp before September 25 2016. Second, the court ordered that existing user information/data/details up till September 25 2016 will not be shared with Facebook and group companies. Only data post September 25 may be shared. Third, the court ordered the relevant government departments to decide whether Internet Messaging Applications like “WhatsApp” can be brought under statutory regulatory framework.

In the absence of a comprehensive data protection law and the existence of a fundamental right to privacy in doubt – it may seem that there is little the High Court could do. However, since the reference of the Aadhaar matters to the Constitutional Bench, multiple High Courts and even the Supreme Court (implicitly) have upheld the constitutional right to privacy. The High Court missed the opportunity to uphold 40 years of the Supreme Court’s jurisprudence on privacy which the Government is trying to overturn. Moreover, the direction to assess whether instant messaging (IM) applications can be brought within a regulatory framework should be closely watched. Any regulation of these services will require an amendment to the Telegraph Act and can have far reaching implications on the right to freedom of expression and the right to privacy.

Dirty Picture Project: Sarabjit

By Devdutta Mukhopadhyay and Vidya Dronamraju as part of the Dirty Picture Project. 

The Leading Ladies

When we decided to review Sarabjit, we looked forward to a break from the typical mindless masala entertainer that Bollywood is notorious for churning out. Moreover, examining the ordeal faced by Sarabjit from the point of view of his sister seemed like an interesting take on the heart breaking affair.

For the unaware, Sarabjit Singh (Randeep Hooda) was an Indian farmer who was arrested by Pakistani authorities after he inadvertently crossed the border. After prolonged torture, he admitted to being responsible for terrorist attacks against Pakistan and was given the death penalty. The film follows Sarabjit’s sister, Dalbir Kaur (Aishwarya Rai Bachchan), as she fights against all odds to secure her brother’s release. Besides Dalbir, Sarbjit’s family consists of his wife, Sukhpreet (Richa Chaddha) and their two daughters.

Dalbir: The Crusader Sister

The film begins with a search party frantically looking for Sarbjit who has gone missing. When their efforts prove futile, Sarabjit’s family approaches the Panchayat and seeks their help in filing an FIR. The Panchayat members are dismissive, and one of them even insinuates that Sarabjit may have another illegitimate family in Pakistan that he has gone to visit. When Dalbir objects to aspersions being cast on her brother’s character, the village elders taunt her because she is childless and does not have a family of her own. This becomes a recurring theme through the movie, and Dalbir’s inability to conceive a child and consequent separation from her husband are used to silence her at several important plot points.

In flashbacks, it is revealed that Dalbir’s daughter was stillborn and her husband blamed her for the child’s death. As the child’s body was being taken away, he cruelly remarked that her womb is cursed because it has no place for a child to thrive. Their relationship takes a turn for the worse, and two years later, Dalbir finally leaves her matrimonial home after her husband refuses to let her visit a hospitalised Sarabjit. Dalbir’s face is visibly bruised and it is abundantly clear that her husband is physically abusive. However, it is concern for her brother that ultimately convinces her to call it quits on her marriage, rather than the violence that she has been subjected to for years.  The underlying message is clear: as self-sacrificing creatures, women will only prioritize the interests of one man over the other but never their own.

After returning to her parents’ home, Dalbir adopts the role of the doting but responsible elder sister. She good-naturedly indulges Sarabjit’s love for wrestling but locks him out of the house when he shirks his duties and forgets to pick up his daughter. After learning about Sarabjit’s conviction, she runs from pillar to post trying to clear his name. Her persistence earns her an appointment with the Prime Minister but she is sent back with hollow platitudes. When she tries approaching the Chief Minister after the 2001 Parliament Attacks, she is attacked by his commandos. Finally, a dejected Dalbir sits down in the middle of the road in protest, and slowly, many other people join her. Media outlets and several human rights group eventually take notice of the plight of an innocent man who has been rotting in jail for decades, and it becomes a national campaign.

In a very telling scene, a male politician tries to hijack the agenda and talk on behalf of Sarabjit’s family. However, Dalbir refuses to remain voiceless and grabs the mic. She quotes verses from the Quran and pleads with the Pakistani government to release her innocent brother. She does not want to create a false binary between Hindus and Muslims, and though well-intentioned, the speech sounds superficial and preachy. Unfortunately, Dalbir’s moralistic sermonizing becomes a recurring problem with the film.

When Sarabjit’s execution date is set, Poonam (Ankita Shrivastav), his younger daughter, tries to burn all his photos and belongings. She is tired of living a half-life, and wants to symbolically finish his funeral rites so that they can all move on. She lashes out at Dalbir and accuses her of prolonging the inevitable because she does not have a family of her own.

In a last ditch attempt, Dalbir blocks a minister’s car and gets visas for the family to go to Pakistan. The women are accompanied by Dalbir’s ex-husband and his 180 degree turn from abusive partner to gallant escort is disconcerting to say the least. With a single kind gesture, the film effectively erases his history of violence and allows him to redeem himself.

Dalbir’s spirit finally breaks when it is discovered that the prisoner who has been released is “Surjeet”, and not Sarabjit. She attempts to commit suicide but is saved at the last moment. The women go on a hunger strike to save Sarabjit but it is too late because shortly thereafter, he is attacked by fellow inmates as a part of a larger conspiracy, and he succumbs to his injuries.

Sukhpreet: The Half-Widow

By contrast, Sukhpreet is a far more flawed and human character. One of the initial scenes show her putting up missing posters across town with an infant strapped to her back and another child clinging to her leg. She loves her husband immensely, but years of waiting have taken a toll on her resolve and made her bitter. Compared to the indefatigable Dalbir, she gets very little screen time perhaps because her own struggles and disappointments do not serve to advance Sarabjit’s story. After Ajmal Kasab’s mercy petition is rejected, there is major backlash in Pakistan and only Dalbir gets a visa to meet Sarabjit. Sukhpreet is sick of being second to her sister-in-law, and remarks that as far as her husband is concerned, she and her daughters have no rights but merely a duty to wait. When Dalbir tries to commit suicide, she accuses her of trying to be a martyr. She tells her that she has contemplated taking her life on many occasions too. However, she did not go ahead with her plans because she had faith in Dalbir.

The emotional challenges that Sukhpreet faces are much more realistic but sadly, they are not theatrical enough to make the cut. Her wavering devotion to her husband and her ability to criticize the perfect Dalbir provide a much needed break from Dalbir’s forced martyrdom. She is more grounded, more rough around the edges and more real but her pragmatism is cast negatively instead of what it really is; a narrative that a lot of women can relate to.

Put To The Feminist Test

Dalbir’s over the top struggle and high-pitched calls for universal brotherhood make it difficult for the viewer to relate to her. While her devotion to her brother is admirable, she doesn’t have an identity beyond fighting for his cause. The saving grace of the movie is the realistic tension between Dalbir and Sarabjit’s wife and daughters. Women fighting among themselves and being unable to get along is a common trope used by many filmmakers. However, it works in this case because it showcases a range of different but equally legitimate reactions that women can have when faced with difficult choices.

The movie does not pass the Bechdel Test because the entire plot revolves around Sarabjit, and consequently, every conversation between the female characters is about getting him justice. Since the Bedchel Test has its own limitations, we decided to put the movie through the Mako Mari Test which looks at whether a female character gets a narrative arc that is independent of a man’s story. Unfortunately, the movie even fails this test because Dalbir’s sole purpose in life is to save her brother from the gallows, and we learn little about her beyond that.

The film’s questioning of nationalism is superficial at best and it remains loyal to the dominant narrative about terrorism. In one of the later scenes, when posed with a hypothetical situation, Sarabjit’s daughters boldly declare that they would not accept their father’s release if it came at the cost of freeing a terrorist like Afzal Guru. What is conveniently ignored is that even a “terrorist” like Afzal Guru is someone’s father, and much like Sarabjit, could have very well been scapegoated by a broken criminal justice system.  With its shallow progressivism, Sarabjit is a disappointing watch that we would recommend you skip.

The India-US Cyber Partnership and Why Does it Matter?

by Shilpa Rao

India and the United States agreed on a joint cyber framework last month. This was at the second India-US Strategic and Commercial Dialogue held in New Delhi on August 31, 2016, which followed Prime Minister Narendra Modi and President Barack Obama’s discussion of such a framework in  in June 2016.

In the US-India joint cyber framework, both countries commit to maintaining an open, interoperable, secure, and reliable cyberspace. The framework lists steps that will increase cybersecurity cooperation. It also highlights the need to leverage cyberspace to promote economic growth and development, innovation, and commerce on the Internet.

The framework is likely to impact the US-India relationship in the context of cyber-security and defence. It may also result in India maintaining a steady commitment to the multistakeholder model of internet governance, which is an issue on which India has a history of wavering.

What Cybersecurity and Defence Commitments have we made?

Both nations have agreed to promote close co-operation between their law enforcement agencies to combat cybercrime. They will share information on cybersecurity threats on a real-time basis, and will develop joint mechanisms to mitigate such threats. They will also conduct joint training programs for law enforcement agencies as a capacity-building measure.

These commitments are likely to help India gain support and assistance with the investigation of  cybercrimes. This is much needed support that we have lacked, in part because of India’s refusal to sign the Budapest Convention, which  arguably limited our ability to tackle several cybersecurity issues. This is particularly so in the context of the jurisdictional issues and information sharing for which the Convention creates a framework. The US-India Cyber Partnership commitments resemble the Budapest Convention (on Cybercrime), 2001 recommendations (contained within Article 23).  

India and the US have been gradually  focusing on developing cyber tools that enable innovation, improve defence mechanisms and mitigate attacks in cyberspace. The US-India Defence Technology and Trade Initiative (DTTI), which promotes co-development and co-production of technical equipment, is one such effort. Separately trade restrictions, including over cyber tools, will be eased through the bilateral High Technology Cooperation Group .

Why does the commitment to Multistakeholderism in Internet Governance matter?

India has gone back and forth on its position on whether it is the multistakeholder model or the multilateral model that is most suitable Internet governance. For example, at the Internet Governance Forum 2012 in Baku, India supported the multistakeholder approach to Internet governance. However, at the International Telecommunications Union Plenipotentiary Conference 2014 in Busan,  India took the more multilateral stand that governments must play the major role in Internet governance. After this, India performed another volte-face, reiterating its support for a multistakeholder approach in June 2015.

In the India-US  cyber framework  India has clearly committed to  the multistakeholder approach. This Indo-US partnership might encourage India to introspect on its domestic policies, which some may argue reflect India’s reluctance  to embrace the multistakeholder approach. Nevertheless, the effectiveness of these bilateral ties in maintaining India’s commitment to multi stakeholder governance of the Internet  remains to be seen.

What are the significant takeaways from the framework?

The US-India cybersecurity framework positions India as a key player in Internet governance and cybersecurity. India stands to benefit from the framework- particularly with regard to information sharing and co-operation between law enforcement agencies in combating cybercrime and enhancing cybersecurity.

However, some of India’s most significant cybersecurity threats emanate from its neighbours – China and Pakistan. To confront these threats, India would benefit from regional engagement, particularly in Asia, on multistakeholderism and cybersecurity co-operation. In light of this, a multistakeholder, cooperative approach towards cybersecurity may be necessary and practicable towards combating cybercrime.

Shilpa Rao is a guest author for the CCG blog.

The Mission Creep Behind the Aadhaar Project

This post originally appeared in The Wire on 02 September 2016.

While the Aadhaar project is economically beneficial for the government, it is possible that its initially stated goals could have been achieved with cheaper and less intrusive technologies.

Credit: Reuters

If the Minister for Information and Broadcasting Venkaiah Naidu is to be believed, 97% of all adult Indian residents now possess an Aadhaar number. In a recent press release, he clarified that no one will be denied benefits on account of not having an Aadhaar number till such time a number is assigned to all beneficiaries. Recent reports of twenty additional schemes being linked with Aadhaar suggest that one may be forced to obtain the unique 12 digit number sooner rather than later. In this light, some technical aspects of the project warrant renewed attention.

A key feature of the Aadhaar project is the Central Identities Data Repository (CIDR) – a centralised database that stores every individual’s personal information. This personal information is a combination of demographic information such as name, age, address etc. as well as biometric information consisting of a photograph, all ten fingerprints and both iris scans. Centralised databases have been the subject of widespread criticism owing to their inherent limitations to secure privacy. But in the context of Aadhaar, the CIDR is problematic not only because it is a centralised database, but also because there’s little to justify its necessity or utility to plug leakages.

The rationale for a centralised database is based on its ability to weed out duplicate identities by checking each enrolment against an existing database of biometrics. Essentially, every Aadhaar-linked transaction involves online transmission of the unique 12-digit number and other information including biometrics to the CIDR. The CIDR verifies the correctness of this information on the basis of data already held by it. It then responds to the service provider with a ‘yes’ or a ‘no’.  This process is known as authentication. Besides the demographic and biometric information collected at the time of enrolment, the CIDR also maintains a record of every authentication request sent to it. Thus, every time a resident uses her Aadhaar number, the service provider’s identity, time and the CIDR’s response get recorded in it. The aggregation of these records could potentially create a detailed history of an individual’s transactions. The laws for regulating the manner and duration of storage of these records are yet to be framed.

The problems with centralisation 

Centralised databases are subject to several criticisms. For starters, it is easier to justify new uses for the same database when all the information is aggregated at the same place. Known as ‘mission creep’, this allows authorities to use personal information collected for one purpose to be used for altogether different purposes. Ironically, the Aadhaar Act itself allows for this mission creep. With broad exceptions, information that is ostensibly collected for targeted delivery of government services and subsidies can legitimately be used for national security or for any other purpose a district judge thinks fit. Further, in 2010, it was reported that the multinational company Ernst & Young (EY) had been selected as a consultant to set up the CIDR. The report went on to state that the scope of EY’s services included “…identifying and developing business models and business cases for potential revenue streams from the CIDR among others”. This makes the very foundation of the Act suspect. Additionally, large databases are more vulnerable to identity theft. The Electronic Frontiers Foundation, a prominent digital rights group describes large centralised biometric databases as “a honeypot of sensitive data vulnerable to exploitation”. The extent of information and its localisation at one place may make the database an ideal target for foreign governments and hackers.

In 2005, researchers came out with a detailed report on the UK Identity Cards Bill (‘UK Bill’) – the proposed legislation for a national identification system based on biometrics. Despite a few differences, the British project also envisaged a centralised database that would store personal information along with the entire transaction history of every individual. The report came out strongly against centralised storage of information and suggested other alternatives such as a system based on smartcards (where biometrics are stored on the card itself) or offline biometric-reader terminals. As per the report, both these alternatives would have been cheaper as neither required real-time online connectivity. Online authentication is a far greater challenge in India. In a recent survey of network readiness of a hundred and thirty-nine countries, the United Kingdom placed eighth while India ranked ninety-one. Poor Internet connectivity has already resulted in denial of benefits to a number of beneficiaries. The report further debunked the claim that centralised systems are more secure and pointed out the additional risk of a single point of failure, which may paralyse all transactions. The UK identification project was subsequently discarded as a result of the privacy and cost considerations raised in this report.

Limitations of centralisation 

However, the report did acknowledge the usefulness of centralised databases in preventing multiple enrolments by the same individual. But leakages in the distribution system exist due to several reasons. Reetika Khera, an economist and associate professor IIT Delhi points out that although Aadhaar can correct duplicate identities, it can do little to correct other forms of fraud. This includes instances where individuals have falsified their eligibility criteria, extortion by middlemen or collusion between middlemen and beneficiaries.

As of August 2015, the reported expense for the Aadhaar project was almost Rs. 6,700 crores. Given the extent of expenditure, it would be natural to assume that the benefits arising from removing duplicate identities outweigh the costs associated with the project. In 2013, the National Institute of Public Finance and Policy (NIPFP) conducted a cost-benefit analysis of the Aadhaar project (more than two years after enrolment had already begun). Its findings indicate that the project would yield an internal rate of return of 52.85% to the government. However, the underlying assumptions on which these calculations were made deserve greater attention. Khera pointed out several flaws with the NIPFP study. First, although the report considers seven programs, estimates of duplicate or ghost beneficiaries were available only for two schemes – the PDS and the NREGA. For the other schemes, the study either assigned a rate of 7-10% or applied the estimate of duplicate/ghost beneficiaries for one scheme to another. Secondly, even for PDS, the study relied on outdated data from 1997-2001. These limitations were admitted by the authors of the study but its final conclusions have nevertheless been used to justify public spending on setting up Aadhaar.

Evidence suggests that cheaper alternate technologies can be equally efficient in weeding out duplicates. For example, Tamil Nadu and Chhattisgarh have drastically reduced leakages in the PDS through computerisation and other methods. The question of whether the UIDAI’s current model is more cost-effective than other technologies was outside the ambit of the study, and hence never analysed. There’s no doubt that the Aadhaar project is economically beneficial for the government. But almost Rs. 6,700 crore rupees have been spent not knowing the extent of these benefits and whether they could be achieved by cheaper, less intrusive technologies.

Despite the government’s insistence on a centralised database, there is very little justification in the public domain about the necessity of such a system. The FAQs on the UIDAI website state that Aadhaar’s system of online authentication is more advantageous compared to an offline system of smartcards as it is ‘more cost-effective, more secure and allows portability’. Even if one assumes this to be true (though all evidence suggests to the contrary), the UIDAI has done little to demonstrate it.

Ticked off: Cracking down on WhatsApp group administrators is bad policy

By Parul Sharma

The post originally appeared in Scroll.in on 2nd August 2016.

Curbing speech that incites violence is a valid concern but the government needs a better understanding of technology in order to develop clear policy.

untitled

In April 2016, two state governments issued directives seeking to regulate communication on WhatsApp, an internet-based instant messaging application used by more than 70 million people in India, largely on their mobile phones.

With increasing internet shutdowns, banning of mobile telephony and arrests for online content, it is not surprising that the government has sought to regulate this mode of communication.

Much like shutdowns, these directives pose a severe threat to the freedom of speech enjoyed by users online and are in clear violation of existing legal precedents.

Government directives

The district magistrate of Kupwara district of Jammu & Kashmir mandated the administrators of “WhatsApp news groups” and “social media news agencies” to register their groups at the District Social Media Centre through a circular issued on April 18, 2016.

It designated an informatics officer to “keep vigil” on the groups and placed the liability on group administrators for any “irresponsible remarks/deals”.

In the same month, news reports indicated, the Jharkhand government issued an advisory for administrators of all social media groups to remove persons who share “incorrect/misleading information, antisocial tirade or anything seditious in nature” and report the same. A failure to report such information would land both the violator and the group administrator in jail.

These directives are inconsistent with the right to freedom of speech and expression as interpreted by the Supreme Court in Shreya Singhal v Union of India in March 2015, as per which any law restricting the freedom of speech is valid only if it is proximately related to the eight permitted restrictions in Article 19(2). In this case, the apex court struck down section 66A of the Information Technology Act for its chilling effect on speech for its “vague” and “over-broad” restriction on speech.

The Kashmir and Jharkhand directives prohibit conduct that is “irresponsible” and “incorrect/misleading or antisocial” respectively without referring to any legal provisions. The terms “antisocial” and “irresponsible” may encompass a range of activities and do not clearly elucidate what exactly is prohibited content. Further, directing WhatsApp administrators to remove individuals who post such content may result in self censorship of content by individuals.

The apex court had held that restrictions in the interest of public order are justified only when advocacy reaches the level of incitement. However, both these directives ignore these standards set out in Shreya Singhal. By burdening the WhatsApp administrators with responsibility to vet content on their groups on the basis of vague guidelines, the directives pave the way for arbitrary censorship and chilling effect, which could lead to the suppression of legal and legitimate content.

Arresting administrators

These directives come in the wake of a series of arrests in India for content circulated on WhatsApp. From June 2015 to June 2016, there were more than 20 arrests of WhatsApp users under various sections of the Indian penal code and IT Act. Particularly worrying incidents involved arrests of WhatsApp administrators even when they had not posted the allegedly inflammatory or defamatory content.

In August 2015, the Chattisgarh police arrested a WhatsApp group administrator for a video posted on the group by another member under section 153A, 153B and Section 504 of the penal code as well as the IT Act. In October 2015, police in the Latur district of Maharashtra arrested a WhatsApp group administrator and three others for content posted on the group.

Despite criticism for these arrests, law enforcement authorities continued to register cases against WhatsApp administrators. In May 2016, the Jharkhand police arrested one person for posting allegedly inflammatory content on a WhatsApp group and a case was also registered against the WhatsApp administrator.

The police stated that they would be “verifying if the administrator took any steps to ensure that the message was not circulated further”.

Three problems

The directives and arrests making the administrator responsible for posting of content on the group are problematic for a number of reasons.

First, it burdens private persons with the responsibility of deciding between legal and illegal content which may lead to overbroad restrictions and extreme censorship. Private parties do not have the legal knowledge or resources to subjectively determine the legitimacy of content, which is why Section 79 of the IT Act was read down in Shreya Singhal to prevent “takedowns” or removal of content on orders of intermediaries alone. Therefore, now placing this responsibility on WhatsApp administrators lends open the content to overbroad restrictions by administrators who may delete people from groups or threaten to complain against content that is legitimate, erring on the side of caution.

Second, the WhatsApp application is not designed in a manner to give WhatsApp group administrators’ editorial powers apart from the power to remove or add participants. They have no power to edit the content before it is posted. Further, if an existing administrator leaves the group the next administrator is randomly assigned by WhatsApp. As a result, a person may become the administrator without choosing to or even realising that they have become the administrator.

Third, it remains unclear how the WhatsApp administrator is being made liable. If the administrator is being considered liable for aiding the transmission of the messages by virtue of allowing participation in the group then he or she would also fall within the definition of an intermediary. By being an intermediary he or she attracts the safe harbour protection under Section 79. The apex court in Shreya Singhaldirected that an intermediary need only take action on notification of illegality through a court or an executive order. In the absence of such orders the intermediary is protected from liability which should also extend to administrators of WhatsApp groups. Any such characterisation has the potential to impact various platforms like Hike messenger or Google docs or other shared or common group services.

Government directives and unclear policy regarding messaging applications like WhatsApp can undermine the freedom of speech and expression. These directives also ignore the clear mandate laid down by the apex court in Shreya Singhal on various counts. Curbing speech that incites violence is a valid concern. However, the government needs a better understanding of technology in order to develop clear, precise and more effective policies. The government and platforms like WhatsApp ought to engage on these policy matters to help carve out least restrictive measures in consonance with the law.

(Parul Sharma is an Analyst at the Centre for Communication Governance at National Law University Delhi.)

Government Advertisements and Freedom of Press: Examining the Rajasthan Patrika case

By Arpita Biswas

Rajasthan Patrika, a highly popular newspaper, has seen a sharp decline in government advertisement allocation over the last year. According to reports, the alleged reason for the decline was the political ideology of the Patrika, which did not favour the state government. The state government however claimed that the decline was necessary to correct the existing imbalance in advertisement allocation. The “fight for survival” drew to an end earlier this month when the Supreme Court ordered the Rajasthan government to allocate a higher percentage of advertisements to the Patrika.

Advertisement allocation is necessary for newspapers to reduce their cost of production. Declining advertising revenues would force publishers to pass on the cost to readers, which would negatively impact circulation. This practice has been held to be against the ‘Freedom of the Press’.

While not explicitly enumerated, Freedom of the Press is a constitutionally protected right under Article 19 of the Constitution (Romesh Thappar v State of Madras). International instruments like the American Convention on Human Rights prohibit ‘indirect’ means of censorship (Article 13.3). The Office of the Special Rapporteur for Freedom of Speech and Expression (Inter-American Commission on Human Rights) in the Principles on the Regulation of Government Advertising and Freedom of Expression mentions curbing advertisement allocation as an ‘indirect’ means of censorship.

Like Rajasthan Patrika, Ushodaya Publications, a Supreme Court case, dealt with a similar set of facts in 1981. In Ushodaya Publications vs. Government of Andhra Pradesh, the petitioners claimed that the ‘Advertisement Procedure’ stipulated in the Government Order served as a restraint on the Freedom of Speech and Expression under Article 19 of the Constitution. The Order specified certain production and circulation standards, which the publishers considered restrictive. The petitioners also claimed that absence of a “right to notice and hearing…a machinery for redress or correction of an adverse decision by way of appeal or revision” rendered the system vague and arbitrary. The courts however held that the mechanism was not unconstitutional and merely streamlined the advertisement allocation process through the Director of Information and Public Relations. The discretion of the Director was not discriminatory since advertisements were ‘commercial speech’.  Advertisement allocation was not considered integral to the Freedom of Press.

The new DAVP Policy

Roughly three decades later, the Freedom of Press related concerns raised in Ushodaya remain unaddressed.  

The rules governing advertisement allocation are over-looked by the Directorate of Advertising and Visual Publicity (DAVP). The DAVP is a nodal agency through which government bodies streamline the advertisement allocation process.  In June of 2016, the Information and Broadcasting Ministry published a new policy for the DAVP , the National Advertisement Policy  . Among other concerns, the Policy was introduced to “focus on transparency and equity in release of government ads”.

The Policy allocates ads to ‘small’, ‘medium’ and ‘big’ newspapers, based on their circulation numbers. Following a ‘scorecard’ system, the higher number of points a newspaper has, the greater percentage of ads it will be allocated. Rajasthan Patrika happens to be an ‘empanelled’ newspaper which would score highly. (It is a member of the Audit Bureau of Circulation and is one of the most widely read papers in the country, which leads us to believe that it must be widely circulated.)

The process of ‘empanelling’ is multi-pronged and extensive. With six criteria, ranging from approval from the Audit Bureau of Circulation and the Registrar of Newspapers of India to an annual subscription payment to the Press Council of India, only select newspapers are empanelled. The policy faced criticism from small and medium enterprises for favouring larger newspapers. The renewed empanelling process would seemingly favour existing members of the ABC/RNI.

Criticism of the Policy

In addition to the criticism faced by smaller newspapers, the policy has a few inherent flaws. Similar to the Government Order in the Ushodaya case, the DAVP Policy also does not have a redressal mechanism. The ‘minimum print area’ criterion under Clause 11 of the Policy is vaguely reminiscent of Bennett Coleman vs. Union of India where the permissible number of pages were regulated under the Newsprint Policy of 1972-73. The courts in this case held the limit on the number of pages to be unconstitutional. ‘Minimum print area’ could severely restrict circulation of papers, as well.

Several of the clauses rely on being vetted by the Audit Bureau of Circulation (ABC) or Registrar of Newspapers for India (RNI). These agencies audit the circulation of and verify the legitimacy of the newspapers. The ABC also requires a newspaper to be registered under the RNI to be considered for membership at the bureau. However, reports of fake newspapers/journals registered by the RNI were afloat last year. These ‘fake’ publications, which had either printed the same content multiple times or had not printed at all, were being allocated government ad revenue. A huge discretion between the number of newspapers circulated in the districts and those empanelled by the DAVP was found. Amidst allegations of corruption, DAVP and RNI’s conduct renders the whole system of ‘empanelling’ questionable.  

The ABC Manual paints a murky picture as well. Clause 14.7 states that non-submission of books and records “will lead to non – consideration for certification”. While in the same document, Article 5A gives ABC the authority to revoke membership in the event of non-submission of circulation figures. Similarly, in the case of the ‘fake’ publications, the RNI admitted they were ‘not empowered to take action’.

Conclusion

‘Empanelling’ under the DAVP is a restrictive practice and would lead to curtailing freedom of speech and expression. An ‘indirect’ means of censorship, the multi-pronged empanelment process is subject to corruption and arbitrariness. The DAVP Policy renders the allocation system vulnerable and open to misuse. The need of the hour is a far more coherent and transparent set of guidelines.

WhatsApp Backtracks on Privacy, Faces Legal Hurdles

In February 2014, Facebook purchased WhatsApp for a whooping $19 billion. This deal came under scrutiny from various privacy advocates. They questioned if the standards of privacy and security of communication on WhatsApp would be maintained post acquisition. WhatsApp reassured users of its commitment to privacy through a blog post titled ‘Setting the record straight’. The blog clarified that WhatsApp would operate independently and autonomously with no new data being collected. In a separate post, WhatsApp categorically assured ‘nothing’ would change for the user. Reinforcing its commitment to privacy, earlier this year WhatsApp had even introduced end to end encryption.

However, on August 25 2016 WhatsApp introduced key changes in its privacy policy that threaten user privacy. These changes negate WhatsApp’s earlier assurances and raise fundamental concerns regarding privacy and security of user information on WhatsApp.

Changes in the Privacy Policy

Most users have already received a notification from WhatsApp about their updated Terms of Service. Although WhatsApp has presented users with the option to opt-out (though only partially), it has made it difficult for users to exercise this option. The option is only visible once you click on ‘read’. As users rarely inspect standard form contracts – it is likely that this option would be overlooked by many.

The key changes that this policy introduces pertain to sharing of account information with the ‘Facebook family of companies’ (i.e. Facebook along with Atlast, Instagram, Parse etc.). The first change allows WhatsApp to share WhatsApp account information to improve the users ‘Facebook ads and products experience’.  A user has two options to opt-out of this process. The user can opt-out of this process by un-ticking an option displayed on the ‘key updates’ page reached after clicking on ‘read’ (Option 1). If the user has already agreed to the privacy policy they can opt-out within a limited period of 30 days (Option 2). The second change is that WhatsApp will now be sharing data with the ‘Facebook family of companies’ for ‘other purposes’ which include but are not limited to improving delivery systems and fighting spam or abuse. Account information that is shared includes a user’s phone number, contacts and profile picture amongst other information. There is no opt-out option for this and the information will be shared by WhatsApp on a regular basis. (A pictorial representation of the changes may be found here)

Problems with the new Changes

These new changes are fraught with problems. First, WhatsApp has not sought consent for sharing data for purposes other than advertising. While examples of ‘other purposes’ are provided for, the list is non-exhaustive. This paves way for sharing of data and its use without knowledge and consent of the user. Further, the data shared may include phone number and pictures which are recognised by many as personally identifiable information. Sharing of personally identifiable information is subject to informed consent by data protection laws across the world. This policy ignores such requirements. Second, once the user agrees to share the terms of the policy – they only have a time period of 30 days to opt out. This time period is an unfair limitation on the rights of users to stop WhatsApp from sharing of data for advertising purposes in the future. By not incorporating an option to revoke consent at any point of time – WhatsApp again ignores one of key safeguards for protecting the right to privacy. Third, the policy provides for an opt-out mechanism as opposed to an opt-in mechanism. Instead of seeking user consent before sharing the data the mechanism is designed in a manner that requires users to take active steps to prevent sharing of information. Opt-out boxes assume user consent until the user un-checks the box and often run the risk of being missed by users. Fourth, at the time of acquisition of WhatsApp the Federal Trade Commission of USA had issued a letter to both Facebook and WhatsApp reminding them of the need to maintain their privacy commitments. The letter required affirmative express consent (such as opt-in) in case data is used in a manner inconsistent with the promises made at the time of collection of such data. An opportunity to opt-out was required in case of changes in collection, use and sharing of ‘newly collected data’. While this new policy applies to data that was collected earlier (such as phone number and contact details) it goes for an opt-out option as opposed to affirmative consent through an opt-in option.

Finally, WhatsApp and Facebook repeatedly assured users that ‘nothing’ would change as a result of the merger. The policy for use of data to customise advertising goes against WhatsApp’s earlier policies as well as the 2014 assurances of no change in data use. This new policy not only undermines the right to privacy in many ways – but goes a long way in undermining the trust of users.

Reactions to the Policy

The policy has been condemned by many. The absence of even an opt-out option for sharing of data for purposes other than advertising has invited even greater criticism. The Electronic Privacy Information Center from the United States has filed a complaint before the Federal Trade Commission against WhatsApp and Facebook. The Data Protection Authority in the UK, the Information Commissioners Office, has also stated that it would be investigating these changes. Reports indicate that most of the EU regulators will also be closely following the changes in the WhatsApp policy.

A public interest litigation has also been filed before the Delhi High Court arguing that these changes are in violation of Article 14, 19 and 21 of the Indian Constitution as well as Section 72 of the Information Technology Act 2000. The court has sought the government’s response on modification of the privacy policy. It remains to be seen how the regulators across the world respond to these changes.

(I would like to thank my colleague Kritika Bhardwaj for her assistance with this piece)

%d bloggers like this: