Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 3):Confidence Building Measures, Capacity Building and Institutional Dialogue

Ananya Moncourt & Sidharth Deb

“Smoking Gun” by Claudio Rousselon is licensed under CC BY 4.0
  • Introduction

In Part 1 this three-part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) we critiqued how the OEWG is incorporating the participation of non-governmental stakeholders within its process. In Part 2 we reflected on States’ (including India’s) participation on discussions under three main themes of the OEWG’s institutional mandate as detailed under para 1 of the December 2020 dated UN General Assembly (GA) Resolution 75/240.

This analysis revealed how lawfare and geopolitical tensions are resulting in substantive divides on matters relating to (a) the definition and identification of threats in cyberspace; (b) the future direction and role of cyber norms in international ICT security; and (c) the applicability of international law in cyberspace. In Part 3 our focus turns to discussions at the second session as it related to inter-State and institutional cooperation. Specifically, we examine confidence building measures, cyber capacity building, and regular institutional dialogue. The post concludes by offering some expectations on the way forward for ongoing international cybersecurity and cybercrime processes.

  • Confidence Building Measures (CBMs)

Under CBMs, States focused on cooperation, collaboration, open dialogue, transparency and predictability. These included  proposals operationalising a directory of national point of  contacts (PoCs) at technical, policy, law enforcement and diplomatic levels. Several States suggested that CBMs would benefit from including non-governmental stakeholders and integrating with bilateral/regional arrangements like ASEAN, OSCE and OAS. States identified UNIDIR’s Cyber Policy Portal as a potential platform to advance transparency on national positions, institutional structures and best practices. South Korea, Malaysia and others proposed using the portal for early warning systems, new cyber norms discussions, vulnerability disclosures, and voluntary information sharing about national military capabilities in cyberspace. Other priority issues included (a) collaboration between CERTs to prevent, detect and respond to cybersecurity incidents; and (b) critical infrastructure protection.

CBMs were another site of substantive lawfare. Russia and its allies stressed on the need for objective dialogue to prevent misperceptions. They urged States to consider all technical aspects of cyber incidents to minimise escalatory risks of “false flag” cyber operations. As we have discussed earlier in Part 2, Iran and Cuba argued against States’ use of coercive measures (e.g. sanctions) which restrict/prevent access to crucial global ICT infrastructures. These States also highlighted challenges with online anonymity, hostile content, and the private sector’s (un)accountability.

India focused on cooperation between PoCs for technical (e.g. via a network of CERTs) and policy matters. They espoused the benefits of integrating CBM efforts with bilateral, regional and multilateral arrangements. Practical cooperation through tabletop exercises, workshops and conferences were proposed. Finally, India stressed on the importance of real-time information sharing on threats and operations targeting critical infrastructures. The latter is a likely reference to challenges States like India face vis-a-vis jurisdiction and MLAT frameworks.

  • Capacity Building

Consistent with the first OEWG’s final report, States suggested that capacity building activities should be:

  • sustainable,
  • purpose and results focused,
  • evidence-based,
  • transparent,
  • non-discriminatory,
  • politically neutral,
  • sovereignty respecting,
  • universal, and
  • facilitate access to ICTs.

States advocated international capacity building activities correspond with national needs/priorities and benchmarked against internationally determined baselines. The UK recommended Oxford’s Cybersecurity Capacity Maturity Model for national assessments.  States recommended harmonising capacity building programmes with bilateral and regional efforts. Iran and Singapore proposed fellowships, workshops, training programmes, education courses, etc as platforms for technical capacity building for State officials/experts. States suggested UNIDIR assume the role of mapping global and regional cyber capacity building efforts—spanning financial support and technical assistance—aimed at compiling a list of best practices. Disaster and climate resilience of ICT infrastructure was a shared concern among Member States.

Even under this theme Russia and their allies addressed unilateral issues like sanctions which limit universal access to crucial ICT environments and systems. Citing the principle of universality, Russia even proposed the OEWG contemplate regulation to control State actions in this regard. Iran built on this and proposed prohibiting States from blocking public access to country-specific apps, IP addresses and domain names.

India recommended capacity building targeting national technical and policy agencies. It proposed funnelling capacity building through regular institutional dialogue to ensure inclusivity, neutrality and trust. India proposed a forum of CERTs, under the UN, to facilitate tabletop exercises, critical infrastructure security, general cybersecurity awareness campaigns, and cyber threat preparedness. India proposed establishing an international counter task force comprising international experts in order to provide technical assistance and infrastructural support for cyber defences and cyber incident response against critical infrastructure threats. Member Sates requested India to elaborate on this proposal.

  • Regular Institutional Dialogue

Several States like France, Egypt, Canada, Germany, Korea, Chile, Japan and Colombia identified a previously proposed Programme of Action (PoA) to facilitate coordinated cyber capacity building. France proposed the PoA assist States with the technical expertise for cyber incident response, national cybersecurity policies, and critical infrastructure protection. States also identified the PoA to maintain a trust fund for cyber capacity building projects, and serve as a platform to assist States identify national needs and track implementation of cyber norms. Prior to the third substantive session, co-sponsors are expected to share an updated version of its working paper with the OEWG secretariat. These States have also proposed that the PoA serve as a venue for structured involvement of non-governmental stakeholders.

In order to harmonise the mandates of the OEWG and the PoA, Canada proposed that the OEWG serve as the venue where core normative aspects are finalised, and the PoA works on international implementation. The Sino-Russian bloc and developing countries expressed concerns about the PoA as a forum for regular institutional dialogue. Iran suggested that the OEWG instead operate as an exclusive international forum on cybersecurity. Cuba and Russia maintained that a parallel PoA would undercut the OWEG’s centrality.

While India’s intervention recognises the importance of regular institutional dialogue, it insists that such interactions be intergovernmental. It recommends that States retain primary responsibility for issues in cyberspace relating to national security, public safety and the rule of law.

  • Way Forward

The OEWG Chair aims to finalise a zero draft of its first annual progress report, for consultations and written inputs, approximately six weeks prior to the OEWG’s third substantive session in July 2022. It will be interesting to track how lawfare affects the report and other international processes.  

In this regard, it is crucial to juxtapose the OEWG against the UN’s ongoing ad-hoc committee in which States are negotiating a draft convention on cybercrime. Too often these conversations can be stuck in silos, however these two processes will collectively shape the broad contours of international regulation of cyberspace. Already, we observe India’s participation in the latter is shaped by its doctrinal underpinnings of the Information Technology Act—and it will be important to track how these discussions evolve.

CCG’s Comments to the Ministry of Electronics and Information Technology on the Draft National Data Governance Framework Policy

Authors: Joanne D’Cunha and Bilal Mohamed

On 26th May 2022, the Ministry of Electronics and Information Technology (MeitY), released the Draft National Data Governance Framework Policy (NDG Policy) for feedback and public comments. CCG submitted its comments on the NDG Policy, highlighting its feedback and key concerns with the proposed Data Governance Framework. The comments were authored by Joanne D’Cunha and Bilal Mohamed, and reviewed and edited by Jhalak M. Kakkar and Shashank Mohan.

The draft National Data Governance Framework Policy is a successor to the draft ‘India Data Accessibility and Use’ Policy, which was circulated in February 2022 for public comments and feedback. Among other objectives, the NDG policy aims to “enhance access, quality, and use of data to enable a data-led governance” and “catalyze AI and Data led research and start-up ecosystem”.

“Mountain” by Mariah Jochai is licensed under CC BY 4.0

CCG’s comments to the MeitY are divided into five parts – 

In Part I, of the comments we foreground our concerns by emphasising the need for comprehensive data protection legislation to safeguard citizens from potential privacy risks before implementing a policy around non-personal data governance. 

In Part II, we focus on the NDG Policy’s objectives, scope, and key terminologies. We highlight that the NDG Policy lacks in  sufficiently defining key terms and phrases such as non personal data, anonymisation, data usage rights, Open Data Portal, Chief Data Officers (CDOs), datasets ecosystem, and ownership of data. Having clear definitions will bring in much needed clarity and help stakeholders appreciate the objectives and implications of the policy. This also improves  engagement from the stakeholders including the government in the policy consultation process. This also enhances engagement from the stakeholders, including the various government departments, in the policy consultation process.  We also highlight that the policy does not illustrate how it will intersect and interact with other proposed data governance frameworks such as the Data Protection Bill 2021 and the Non Personal Data Governance Framework. We express our concerns around the NDG Policy’s objective of cataloguing datasets for increased processing and sharing of data matching with the aim to deploy AI more efficiently.  It relies on creating a repository of data to further analytics, and AI and data led research. However, it does not take into consideration that increasing access to data might not be as beneficial if computational powers of the relevant technologies are inadequate. Therefore, it may be more useful if greater focus is placed on developing computing abilities as opposed to increasing the quantum of data used.

In Part III, we focus on the privacy risks, highlighting concerns around the development and formulation of anonymisation standards given the threat of re-identification from the linkage of different datasets. This, we argue, can pose significant risks to individual privacy, especially in the absence of a data protection legislation that can provide safeguards and recognise individual rights over personal data. In addition to individual privacy harms, we also point to the potential for collective harms from using aggregated data. To this end, we suggest the creation of frameworks that can keep up with the increased risks of reidentification posed by new and emerging technologies.

Part IV of our comments explores the institutional framework and regulatory structure of the proposed India Data Management Office. The proposed IDMO is responsible for framing, managing, reviewing, and revising the NDG Policy. Key concerns on the IDMO’s functioning pertain to the exclusion of technical experts and representatives of civil society and industry in the IDMO. There is also ambiguity on the technical expertise required for Chief Digital Officers of the Digital Management Units of government departments and ministries, and the implementation of the redressal mechanism. In this section, we also highlight the need for a framework within the Policy to define how user charges will be determined for data access. This is particularly relevant to ensure that access to datasets is not skewed and is available to all for the public good. 

You can read our full submission to the ministry here.

Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 2): Threats, Cyber Norms and International Law

Ananya Moncourt & Sidharth Deb

“Aspects of Cyber Conflict (pt. 3)” by Linda Graf is licensed under CC BY 4.0

Introduction

Part 1 of this three part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) analysed key organisational developments regarding multistakeholder participation. The post contextualised the OEWG’s institutional mandate, analysed the impact of the Russia-Ukraine conflict on discussions, traced differing State positions, and critiqued the overall inclusiveness of final modalities on stakeholder participation at the OEWG.

This post (and subsequently Part 3) analyses substantial discussions at the session held between March 28 and April 01, 2022. These discussions were organised according to the OEWG’s mandate outlined in UN General Assembly (GA) Resolution 75/240. Accordingly, Part 2’s analysis covers:

  • existing and potential threats to “information security”.
  • rules, norms and principles of responsible State behaviour i.e. cyber norms.
  • international law’s applicability to States’ use of ICTs.

Both posts examine differing State interventions, and India’s interventions under each theme. The combined analysis of Parts 2 and 3 provides evidence that UN cybersecurity processes struggle with an inherent tension. This relates to the dichotomy between the OEWG’s mandate, which is based on confidence building, cooperation, collective resilience, common understanding and mutual accountability; as against the geopolitical rivalries which shape multilateralism. Specifically, it demonstrates the role of lawfare within these processes.

Existing and Potential Threats

Discussions reflected the wide heterogeneities of States’ perceptions of threats in cyberspace. The US, UK, EU, Estonia, France, Germany, Canada, Singapore, Netherlands and Japan prioritise securing critical infrastructure and ICT supply chains. Submarine cables, communication networks, rail systems, the public core of the internet, healthcare infrastructure and information assets, humanitarian databases, and oil and gas pipelines were cited as contemporary targets. Ransomware and social engineering were highlighted as prominent malicious cyber techniques.

In contrast, Russia, China and allies like Syria, Cuba and Iran urged the OEWG to address threats which conform to their understanding of “information security”. Premised on information sovereignty and domestic regime stability, prior proposals like the International Code of Conduct for Information Security offers a template in understanding their objectives. These States advocate regulating large-scale disinformation, terrorism, recruitment, hate speech and propaganda occurring over private digital platforms like social media. Cuba described such ICTs as tools for interventionism and destabilisation which interfere in States’ internal affairs. Iran and Venezuela cautioned States against using globally integral ICT systems as conduits for illegitimate geopolitical goals, which compromise other States’ cyber sovereignty—a recurring theme of these States’ engagement at the session.

Netherlands and Germany described threats against democratic and/or electoral processes as threats to critical infrastructure. Similarly, France described disinformation as a risk to security and stability in cyberspace. This is important to track since partial intersections with the Sino-Russian understanding of information security could increase future prospects of information flows regulation at the OEWG.

Developing States like Brazil, Venezuela and Pakistan characterised the digital/ICT divide between States as a major threat to cyberspace stability. Thus, capacity building, multistakeholder involvement and international cooperation — at CERT, policymaking and law enforcement levels — were introduced early as key elements of international cybersecurity. UK and Russia supported this agenda. France, China and Ecuador identified the development of cyber offensive capabilities as an international threat since they legitimise cyberspace as a theatre of military operations.

India’s participation in this area treads a middle ground. ICT supply chain security across infrastructure, products and services; and the protection of “critical information infrastructures” (CIIs) integral to economies and “social harmony” were stated priorities. Notably, the definition of CIIs under the Information Technology Act does not cite social harmony. India cited ransomware, misinformation, data security breaches and “… mismatches in cyber capabilities between Member States” as contemporary threats. To mitigate these threats, India advocated for improved information sharing and cooperation at technical, policy and government levels across Member States.

Cyber Norms

States disagreed on whether prior GGE and OEWG consensus reports serve as a minimum baseline for future cyber norms discussions. The Sino-Russian camp which includes Iraq, Nicaragua, Pakistan, Belarus, Cuba and others argued that cyber norms are an insufficient fix, and instead proposed a new legally binding instrument on international cybersecurity. China proposed a Global Initiative on Data Security as a blueprint for such a framework. Calls for treaties/conventions could trigger reintroduction of prior proposals on information security by these States.

The US, UK, Australia, Japan, France, Germany, Netherlands and allied States, and developing countries like Brazil, Argentina, Costa Rica, South Africa and Kenya argued that, instead of revisiting first principles, the current OEWG’s focus should be the implementation of earlier agreed cyber norms. Self-assessment of States’ implementation of the cyber norms framework was considered an international first step. The United Nations Institute for Disarmament Research (UNIDIR) in partnership with Australia, Canada, Mexico and others, launched a new national survey tool to gauge countries’ trajectories in implementation. Since cyber norms are voluntary, the survey serves as a soft mechanism of accountability, a platform which democratises best practices, and a directory of national points-of-contact (PoCs) wherein States can connect and collaborate.

States also raised substantive areas for discussions on new norms or clarifications on existing ones. Netherlands, US, UK and Estonia called for protections safeguarding the public core of the internet, since it comprises the technical backbone infrastructure in cyberspace which facilitates freedom of expression, peaceful assembly and access to online information. “Due diligence”— which requires States to not allow their territory to be used for internationally wrongful acts—was another substantive area of interest.

ICT supply chain integrity and attribution generated substantial interest. Given the close scrutiny on domestic companies, under this theme China recommended new rules and standards on international supply chain security. If analysed through lawfare this proposal perhaps aims to minimise targeted State measures against Chinese ICT suppliers in both telecom and digital markets.

The US pressed for deliberations on “attribution” and specifically public attribution of State-sponsored malicious cyber activities. China cautioned against hasty public attributions since it may cause escalation and inter-State confrontation. China argued that attributions on cyber incidents require complete and sufficient technical evidence. The sole emphasis on technical evidence (which ignores surrounding evidence and factors) could be strategic since it creates a challenging threshold for attribution. As a result it could counter-intuitively end up obfuscating the source of malicious activities in cyberspace.

Discussions on “critical infrastructure” protection also raised important interventions. Singapore stated that critical infrastructure security should protect electoral and democratic integrity. China argued for an international definition of “critical infrastructure” consistent with sovereignty. Over time such representations could further legitimise greater information controls and embed the Sino-Russian conception of information security within global processes.

India focused on supply chain integrity, critical infrastructure protection and greater institutional and policy cooperation. They advocated close cooperation in matters involving criminal and terrorist use of ICTs. There were also brief references to democratisation of cyber capabilities across Member States and the role of cloud computing infrastructure in future inter-State conflicts. This served as a prelude to India’s interventions under international law.

International Law

Familiar geopolitical fragmentations shaped discussions. Russia, China, Cuba, Belarus, Iran, and Syria called for a binding international instrument which regulates State behaviour in cyberspace. Belarus argued that extant international legal norms and the UN Charter lack meaningful applicability to modern cyber threat landscapes. Russia and Syria called for clarity on what areas and issues fall within the sphere of international cybersecurity. Viewed through the lens of lawfare, it appears that such proposals aim to integrate their conceptions of information security within OEWG discussions.

EU, Estonia, Australia and France argued this would undermine prior international processes and the cyber norms framework. The US, UK, Australia, Canada, Brazil, France, Japan, Germany and Korea instead focused on developing a common understanding on international law’s applicability to cyberspace, including the UN Charter. They pushed for dialogue on international humanitarian law, international human rights law, prohibition on the use of force, and the right to self-defence against armed attacks. Similar to previous failed negotiations at the 5th GGE, these issues continue to remain contentious areas. For instance, Cuba argued against the applicability of the right to self-defence since no cybersecurity incident can qualify as an “armed attack”.

Sovereignty, sovereign equality and non-interference in States’ internal affairs were prominent issues. Other substantive areas included attribution (technical, legal and political), critical infrastructure protection and the peaceful settlement of disputes. To enable common understanding and potential consensus on international law, the US, Singapore and Switzerland advocated the OEWG follow a similar approach to the 6th UN GGE. Specifically, they suggested developing a voluntary compendium of national positions on the applicability of international law in cyberspace.

India addressed issues relating to sovereignty, non-intervention in internal affairs, prohibition of the use of force, attribution, and dispute settlement. It discussed the need to assign international responsibility on States for cyber operations emerging from one State and which have extra-territorial effects. They argued for States enjoying the sovereignty to pass domestic laws/policies towards securing their ICT environments. India advocated imposing upon States an obligation to take reasonable steps to stop ICT-based internationally wrongful acts domestically. Finally, it highlighted that international law must adapt to the role of cloud computing hosting data/malicious activities in cross-border settings.

Conclusion | Previewing Part 3

In Part 2 of this series on the second substantive session of the OEWG on ICT Security (2021-25) we have analysed States’ interventions on matters relating to existing and potential threats to information security; the future role of cyber norms for responsible State behaviour in cyberspace; and the applicability of international law within cyberspace. In Part 3 we assess discussions relating to confidence building measures, capacity building and regular institutional dialogue. While this post reveals the geopolitical tensions which influence international cybersecurity discussions, the next post focuses extensively on the international cooperation, trust building, technical and institutional collaboration, and developmental aspects of these processes.

Call for Applications for the Positions (i) Community and Engagement Associates, (i) Community and Engagement Officers, (ii) Strategic Development and Partnerships Associates, and (ii) Strategic Development and Partnerships Officers

The National Law University Delhi (‘University’), through its Centre for Communication Governance (‘CCG’/‘Centre’) is inviting applications for the posts of (i) Community and Engagement Associates and Community and Engagement Officers and (ii) Strategic Development and Partnership Associates and Strategic Development and Partnership Officers, to work at the Centre. 

About the Centre for Communication Governance

The Centre for Communication Governance at National Law University Delhi was established in 2013 to ensure that Indian legal education establishments engage more meaningfully with information technology law and policy, and to contribute to improved governance and policy making. CCG is the only academic research centre dedicated to working on information technology law and policy in India, and in a short span of time has become a leading institution in the sector. 

Through its Technology and Society team, CCG seeks to embed constitutional values and good governance within information technology law and policy and examine the evolution of existing rights frameworks to accommodate new media and emerging technology. It seeks to support the development of the right to freedom of speech, right to dignity and equality, and the right to privacy in the digital age, through rigorous academic research, policy intervention, and capacity building. The team’s ongoing work is on subjects such as —privacy and data governance/protection, regulation of emerging technologies like artificial intelligence, blockchain, 5G and IoT, platform regulation, misinformation, intermediary liability and digital access and inclusion.

This complements the work of the Technology and National Security team at CCG that focuses on issues that arise at the intersection of technology and national security law, including cyber security, information warfare, and the interplay of international legal norms with domestic regulation. The team’s work aims to build a better understanding of national security issues in a manner that identifies legal and policy solutions that balance the legitimate security interests and national security choices with constitutional rights and the rule of law, in the context of technology law and policy. The team undertakes analysis of international law as well as domestic laws and policies that have implications for national security. Our goal is to develop detail-oriented, principled and pragmatic recommendations for policy makers on national security issues faced by India, with an emphasis on cyber security and cyber conflict. 

The work at CCG is designed to build competence and raise the quality of discourse in research and policy around issues concerning constitutional rights and rule of law in the digital age, cybersecurity and global internet governance. The academic research and policy output is intended to catalyse effective research-led policy making and informed public debate around issues in technology, internet governance and information technology law and policy.

Role

CCG is a young, continuously evolving organisation and the members of the Centre are expected to be active participants in building a collaborative, merit-led institution and a lasting community of highly motivated young professionals. If selected, you will contribute to the institution’s growth and development by playing a key role in advancing our community engagement / strategic development and partnerships. You will be part of a dynamic team of young researchers, policy analysts and lawyers. Please note that our interview panel has the discretion to determine which role would be most suitable for each applicant based on their qualifications and experience. 

We are inviting applications for the following roles-

(i) Community and Engagement Associates (2 position)

(ii) Community and Engagement Officers (2 position)

(iii) Strategic Development and Partnership Associates (2 position)

(iv) Strategic Development and Partnership Officers (2 position)

i. Community and Engagement Associates and Community and Engagement Officers

Some of the key roles and responsibilities of the Community & Engagement Associates and Community & Engagement Officers may include:

  • Developing and supporting the team in community and engagement strategy. The candidate will have to work both independently and collaboratively with the team leadership, researchers and various other members of the team.
  • Building engagement with key stakeholders and community members of the Digital Society ecosystem at the domestic and international level.
  • Conceptualising and implementing events, workshops, roundtables, etc. to engage with stakeholders in the ecosystem.
  • Creating relevant content in the form of posters, social media posts, and other allied material for the various events conducted by CCG. 
  • Strategising and creating visual and written content for newsletters, email communications and other modes of engagement.
  • Strategising and creating internal and external communication material including relevant posts, images and posters, and other allied content for social media dissemination, including Twitter, Instagram, LinkedIn, and Facebook.
  • Strategising and creating visual representations, infographics and other graphical representations to make research and analysis available in an accessible manner.
  • Managing social media accounts and maintaining a social media calendar and database of disseminated content. Working with social media on campaigns using tools like hootsuite, oneup, etc., and oversight and management of websites and blogs.
  • Editorial design and layout for reports, presentations, and other written outputs.
  • Aiding in conceptualising, recording and editing audio, podcasts, and/or video material. 
  • Engaging with CCG’s media networks and other key stakeholders.
  • Identifying opportunities for media engagement for the dissemination of CCG’s work.
  • Maintaining records of media and social media coverage and collecting data for analytics and metrics.
  • Strategising, editing, developing, managing and implementing content for the CCG website, CCG Blog, etc. 

This is an indicative list of some of the responsibilities the person will be involved in and is not inclusive of all activities one might be engaged with. We welcome applicants with an interest in any of the areas that CCG broadly works in to apply.

ii. Strategic Development and Partnership Associates and Strategic Development and Partnership Officers

Some of the key roles and responsibilities of the Strategic Development and Partnership Associates and Strategic Development and Partnership Officers may include:

  • Identifying potential funders and partners (domestic and international) to develop CCG’s work and engaging with them.
  • Developing funding opportunities and networks for CCG programs and research.
  • Drafting grant proposals, presentations and applications in coordination with CCG leadership and researchers and spearheading all phases of the grant process (pre-award, award and post-award phase).
  • Ensuring timely funder reporting, project completion reports, and preparation of project narratives.
  • Proactively managing, building and developing new and existing partnerships (domestic and international) portfolios in consultation with senior leadership at CCG.
  • Building engagement with key stakeholders and community members of the Digital Society ecosystem at the domestic and international level across academia, media, civil society, industry, regulatory bodies, other experts, members of parliament, senior government officers, judges, senior lawyers, scholars, and journalists. We are looking for someone who is very constructive and is not only able to help our community get the most out of CCG’s work but is also able to connect people with each other, playing an enabling, generative role that encourages and supports the ecosystem.
  • Identifying opportunities for CCG to present and highlight its programs and research and working towards applying for and implementing these opportunities.
  • Making use of effective programme/project management tools within the team (leadership, research, admin and community and engagement) to ensure strategic development of CCG’s goals.
  • Identifying opportunities for capacity building for the CCG team and organising and implementing relevant activities.
  • Conceptualising and implementing events, workshops, roundtables, etc. to engage with stakeholders in the ecosystem.
  • Strategising, developing, co-ordinating, organising and implementing events, fellowships, moots and courses such as Summer School, Courses (Certificate Course, etc.), Workshops, DIGITAL Fellowship, Oxford Price Media South Asia Rounds, and Capacity Building events.
  • Strategising, editing, developing, managing and implementing content for the CCG website, CCG Blog, etc.
  • Strategising and supporting the development of engagement and outreach modes such as social media, podcasts, newsletters, events, meetings, etc.
  • Developing and supporting the team in a community and engagement strategy. 
  • Engaging with CCG’s media networks and other key stakeholders and identifying opportunities for media engagement for the dissemination of CCG’s work.
  • Maintaining records of media coverage and collecting data for analytics and metrics.
  • Developing and implementing CCG’s DEI initiatives and programs.

This is an indicative list of some of the responsibilities the person will be involved in and is not inclusive of all activities one might be engaged with. We welcome applicants with an interest in any of the areas that CCG broadly works in to apply.

Qualifications for the Roles

  • The Centre welcomes applications from candidates with degrees in design, media and communication, law, public policy, development studies, BBA, journalism, english and social sciences or other relevant/applicable fields.
  • For the Associate role, preference may be given to candidates with an advanced degree in related fields or 2+ years of PQE and previous experience of working on related issues.
  • For the Officer role, preference may be given to candidates with an advanced degree in related fields or 4+ years of PQE and previous experience of working on related issues.
  • Candidates must have a demonstrable capacity for high-quality, independent work.
  • Strong communication, digital and writing/presentation skills are important.
  • Interest and previous experience in information technology law and policy is preferred. 
  • A Master’s degree from a highly regarded programme might count towards work experience.

However, the length of your resume is less important than the other qualities we are looking for. As a young, rapidly-expanding organisation, CCG anticipates that all members of the Centre will have to manage large burdens of substantive as well as institutional work. We are looking for highly motivated candidates with a deep commitment to building policies that support and enable constitutional values and democratic discourse. We are looking for people who see good research and policy designs as a way to build a better and more equitable world. At CCG, we aim high, and we demand a lot from each other in the workplace.

We look for individuals with work-style traits that include the ability to work both collaboratively and independently in a fast-paced environment, while being empathetic towards colleagues. We aim to create high-quality research outputs. It is therefore vital that you be a good team player, as well as be kind and respectful to colleagues. At the same time, you should also be self-motivated, proactive, creative as well as be capable of independently driving your work when required. We like to maintain the highest ethical standards in our work and workplace, and look for people who manage all of this while being as kind and generous as possible to colleagues, collaborators and everyone else within our networks. A sense of humour will be most welcome. Even if you do not necessarily fit the requirements outlined but bring to us the other qualities we look for, we will be glad to hear from you. 

Remuneration and Location

The remuneration will be competitive, and will be commensurate with qualifications and experience. Where the candidate demonstrates exceptional competence in the opinion of the selection panel, there is a possibility for greater remuneration. These are full time positions based out of Delhi. 

Application Process

Interested candidates may fill the application form provided by 05:00 pm IST on June 20, 2022. Please note that applications will only be accepted via the Google Form. In case of any doubts please contact us at ccg@nludelhi.ac.in with the subject line “Application for Community and Engagement/Strategic Development and Partnerships”. We encourage applicants to apply at the earliest.

 A complete application form will require the following: 

  • A signed and completed Application Form, available here.
  • The form requires a Statement of Motivation which applicants have to answer in a maximum of 800 words. The Statement of Motivation should ideally engage with the following aspects: 

(i) Why do you wish to work with CCG? 

(ii) For those applying for the role of Community and Engagement Associate/Officer: What will be your likely contribution to our work? How would you develop CCG’s community and engagement with stakeholders, the ecosystem and use CCG’s work to add value to the public discourse? 

Or

For those applying for the role of Strategic Development and Partnership Associate/Officer: What will be your likely contribution to our work? How would you undertake strategic development of CCG’s work, fundraising for CCG’s research and programs and build partnerships? 

(iii) What past experiences and skills optimally position you to do so? 

(iv) How does working with CCG connect with your plans for the future?

  • A sample or portfolio of your previous work or writing sample, as relevant. If the candidate does not have anything relevant this is an optional step. However, we encourage candidates to submit any relevant samples they may have of their work. If the 100 MB limit for the upload of the sample is insufficient, please upload an illustrative sample on the google form and the candidate can share a more detailed version of their sample at  ccg@nludelhi.ac.in with the subject line “Call for Strategic Communication and Engagement/ Development and Partnership Associates/Officers – Portfolio”.
  • Please combine the CV, sample of your previous work and statement of motivation in a single PDF file labelled as “Your name – CCG”. The PDF should be uploaded on the link provided in the application form. The single PDF file should contain: (1) a Curriculum Vitae (maximum two pages) (2) a sample or portfolio of your previous work or writing sample as relevant, and (3) Statement of Motivation, to be uploaded in the application form.
  • Applicants should note that they cannot save their work on the application form and return to it later, so they may find it advisable to prepare their Statement of Motivation and merge relevant documents into a PDF document beforehand.
  • Names and contact details of two referees who can be contacted for an oral or a short written reference (to be filled in the form).

Since we require applicants to upload their CV and writing sample, accessing the form requires a Google (Gmail) login. For applicants not having a Google (Gmail) account, we encourage them to create an account, following the quick and simple steps here.

Note

  • National Law University Delhi is an equal opportunity employer.
  • National Law University Delhi reserves the right to conduct telephonic or video interviews. National Law University Delhi is unable to cover the costs of travel, accommodation, etc. for any interviews. 
  • National Law University Delhi reserves the right not to fill these positions.
  • Our selection panel has the discretion to determine which profile/role would be most suitable for each applicant based on their experience, domain understanding and qualifications.
  • The roles, responsibilities and activities enumerated here are indicative and may encompass additional duties related to these.
  • The position is a contractual position and shall be paid under the grants received by the Centre for Communication Governance at National Law University Delhi.
  • We will contact only shortlisted candidates. 

Call For Applications: Research Position at CCG (i) Full Time CCG Researcher, and (ii) Part Time Consultant

The National Law University Delhi (‘University’), through it’s Centre for Communication Governance (‘CCG’/’Centre’) is inviting applications for various research positions across both its teams on a (i) full time basis as a CCG researchers and/or managerial role, and (ii) part time (specific duration) consultants. The details around designations, positions available and requirements are detailed in this Call for Applications.

About the Centre for Communication Governance

The Centre for Communication Governance at National Law University Delhi was established in 2013 to ensure that Indian legal education establishments engage more meaningfully with information technology law and policy, and to contribute to improved governance and policy making. CCG is the only academic research centre dedicated to working on information technology law and policy in India, and in a short span of time has become a leading institution in the sector. 

Through its Technology and Society team, CCG seeks to embed constitutional values and good governance within information technology law and policy and examine the evolution of existing rights frameworks to accommodate new media and emerging technology. It seeks to support the development of the right to freedom of speech, right to dignity and equality, and the right to privacy in the digital age, through rigorous academic research, policy intervention, and capacity building. The team’s ongoing work is on subjects such as — privacy and data governance/protection, regulation of emerging technologies like artificial intelligence, blockchain, 5G and IoT, platform regulation, misinformation, intermediary liability and digital access and inclusion.

This complements the work of the Technology and National Security team at CCG that focuses on issues that arise at the intersection of technology and national security law, including cyber security, information warfare, and the interplay of international legal norms with domestic regulation. The team’s work aims to build a better understanding of national security issues in a manner that identifies legal and policy solutions that balance the legitimate security interests and national security choices with constitutional rights and the rule of law, in the context of technology law and policy. The team undertakes analysis of international law as well as domestic laws and policies that have implications for national security. Our goal is to develop detail-oriented, principled and pragmatic recommendations for policy makers on national security issues faced by India, with an emphasis on cyber security and cyber conflict. 

The work at CCG is designed to build competence and raise the quality of discourse in research and policy around issues concerning constitutional rights and rule of law in the digital age, cybersecurity and global internet governance. The academic research and policy output is intended to catalyse effective research-led policy making and informed public debate around issues in technology, internet governance and information technology law and policy.

Role

CCG is a young, continuously evolving organisation and the members of the Centre are expected to be active participants in building a collaborative, merit-led institution and a lasting community of highly motivated young researchers. If selected, you will contribute to the institution’s growth and development. You will be part of a dynamic team of young researchers, policy analysts and lawyers. Based on experience, domain understanding and qualifications, successful applicants will be placed in the following positions. Please note that our interview panel has the discretion to determine which profile would be most suitable for each applicant based on their experience, domain understanding and qualifications and this is an indicative amount of experience. 

The designations, positions available and requirements are listed below.

(I) Full time CCG researchers

 (i) Analyst(s) (0-2 year’s experience) (3 positions)

(ii) Project Officer(s)/Sr. Project Officers (2+ year’s experience) (5 positions)

(iii) Programme Officer(s)/Sr. Programme Officers (3+ year’s experience) (5 positions)

(iv) Project/Programme/Team Leads/Managers (4+ year’s experience) (4 positions)

A Master’s degree from a highly regarded programme can count towards work experience.

(II) Part time consultants

We will be considering relevant candidates for part time consultants roles to work on various ongoing research projects at CCG for a certain period of time. Depending on the project(s) the consultants is hired to be involved in, the contract period will vary. The Consultants will research, author/ co-author, edit and review research papers, reports, policy responses, and any other publication and related work of the Centre. (15 positions are available for part time consultants)

Responsibilities

  • Working independently and collaboratively with other members of the team to undertake academic and policy research and writing.
  • Conducting in-depth legal, regulatory, policy and legislative analysis and developing policy recommendations.
  • Undertaking high impact academic and policy-centric research and write briefs, reports, responses, blogs, articles and other documents 
  • Researching and writing policy papers, op-eds, blog posts, press releases and memoranda.
  • Undertaking capacity building of stakeholders, adding to the public discourse, developing and organising events, workshops, roundtables, summer schools, courses and fellowships.
  • Representing CCG in the media and at events, roundtables, and conferences and before relevant governmental, and other bodies.
  • Applicants applying for Programme/Project Officers/Managers should also show initiative in managing both their own work, as well as the work of the team. They will play a significant leadership role which ranges from proactive agenda-setting to institutional, and team-building responsibilities.

  1. Analysts and Project Officers/Sr. Project Officers

Selected applicants will ordinarily be expected to design and produce units of publishable policy and academic research (reports, papers, essays, case analysis, etc.) with Senior Staff members. You will also be recommending and assisting with designing and executing policy positions, drafting analytical policy input to government institutions and external actions on a broad range of information policy issues.

Equally, you will also be expected to participate in other work, including writing opinion pieces, blog posts, press releases, memoranda, and help with outreach. The selected applicants will also represent CCG in the media and at other events, roundtables, and conferences and before relevant governmental, and other bodies. In addition, you will have organisational responsibilities such as providing inputs for research/grant applications, building networks, social media and media engagement and designing and executing Centre events.

2. Programme Officers/Sr. Programme Officers and Project/Programme/Team Leads/Managers

In addition to conducting and publishing academic and policy research and organisational responsibilities, as mentioned in the role description above, applicants with more experience will manage, advise and mentor younger team members. As a senior member of the team, you will help shape CCG’s strategic direction and assist and advise senior leadership on issues including policy positioning and direction, staff management and growth, organisational capacity building and structure, writing of grant proposals/fundraising, building collaborations and diversity. You will also be building and maintaining relationships with our stakeholders, including members of parliament, senior government officers, judges, senior lawyers, scholars, and journalists. We are looking for someone who is very constructive and is not only able to help our community get the most out of CCG’s work but is also able to connect people with each other, playing an enabling, generative role that encourages and supports the community’s work.

3. Part time consultants

Part time consultants will work on research projects across the various domains of CCG’s research work. Selected applicants will primarily be expected to develop, undertake, edit and review research that will contribute to the Centre’s ongoing work including privacy and data protection, platform governance, emerging technologies like artificial intelligence, blockchain, IoT and 5G, cyber security and national security. This is an indicative list of some of the areas CCG is currently working on, and not an exhaustive list of projects for which we are looking for consultants in. We welcome applicants with an interest in any of the areas that CCG broadly works in to apply. Depending on the project(s) the consultants is hired to be involved in, the contract period will vary. The Consultants will research, author/ co-author, edit and review research papers, reports, policy responses, and any other publication and related work of the Centre.

Qualifications 

  • The Centre welcomes applications from candidates with degrees in law, social sciences, international affairs, development studies, economics, public policy and other relevant fields. Outstanding candidates with B.Sc./B.Tech degree with a specialisation in IT/Computer Science/Cyber Security with a demonstrated interest in the space or an advanced degree in public policy will also be considered.
  • Preference may be given to candidates who are able to provide evidence of an interest in human rights / constitutional law/ technology law and / or policy / Internet governance/ national security law.
  • Must have a demonstrable capacity for high-quality, independent work.
  • Successful candidates for Managerial positions should show great initiative in managing both their own and their team’s workloads. They will also be expected to lead and motivate their team through high stress periods and in responding to pressing policy questions.
  • Strong research, writing and communication skills are necessary.

However, the length of your resume is less important than the other qualities we are looking for. As a young, rapidly-expanding organisation, CCG anticipates that all members of the Centre will have to manage large burdens of substantive as well as institutional work. We are looking for highly motivated candidates with a deep commitment to building policies that support and enable constitutional values and democratic discourse. We are looking for people who see good research and policy designs as a way to build a better and more equitable world. At CCG, we aim high, and we demand a lot from each other in the workplace.

We look for individuals with work-style traits that include the ability to work both collaboratively and independently in a fast-paced environment, while being empathetic towards colleagues. We aim to create high-quality research outputs. It is therefore vital that you be a good team player, as well as be kind and respectful to colleagues. At the same time, you should also be self-motivated, proactive, creative as well as be capable of independently driving your work when required. We like to maintain the highest ethical standards in our work and workplace, and look for people who manage all of this while being as kind and generous as possible to colleagues, collaborators and everyone else within our networks. A sense of humour will be most welcome. Even if you do not necessarily fit the requirements outlined but bring to us the other qualities we look for, we will be glad to hear from you. 

Remuneration and Location

The salary will be competitive and will be commensurate with qualifications and experience. Where the candidate demonstrates exceptional competence in the opinion of the interview panel, there is a possibility for greater remuneration.

Full-time positions will be based out of Delhi. Part-time consultants may work remotely. 

Application Process

Interested applicants may fill the application form provided by 05:00 pm IST on June 20, 2022. Please note that applications will only be accepted via the google form. In case of any doubts, please contact us at ccg@nludelhi.ac.in with the subject line “Application for Researchers”. 

A complete application for full time research positions at CCG will require the following:

  • A signed and completed Application Form, available here.
  • The form requires a Statement of Motivation which applicants have to answer in a maximum of 800 words. The Statement of Motivation should ideally engage with the following aspects: 

(i) Why do you wish to work with CCG? 

(ii) What will be your likely contribution to our work? What do you think are the most important focus areas for the team to consider, and how do you hope to contribute to it? 

(iii) What past experiences and skills optimally position you to do so? 

(iv) How does working with CCG connect with your plans for the future?

  • Please combine the CV, writing sample and statement of motivation in a single PDF file labelled as “Your name – CCG”. The PDF should be uploaded on the link provided in the application form. The single PDF file should contain: (1) a Curriculum Vitae (maximum two pages) (2) a writing sample of between 1000 and 1500 words (essay or extract, published or unpublished preferably on a relevant topic), and (3) Statement of Motivation, to be uploaded in the application form.
  • Applicants should note that they cannot save their work on the application form and return to it later, so they may find it advisable to prepare their Statement of Motivation and merge relevant documents into a pdf beforehand.
  • Names and contact details of two referees who can be contacted for an oral or a short written reference (to be filled in the form).

A complete application for part time consultants at CCG will require the following:

  • A signed and completed Application Form, available here.
  • Please combine your Cover letter (optional), CV and writing sample in a single PDF file labelled as “Your name – CCG”. The PDF should be uploaded on the link provided in the application form. 
  • Applicants should note that they cannot save their work on the application form and return to it later, so they may find it advisable to merge relevant documents into a pdf beforehand.
  • Names and contact details of two referees who can be contacted for an oral or a short written reference (to be filled in the form).

Since we require applicants to upload their CV and writing sample, accessing the form requires a Google (Gmail) login. For applicants not having a Google (Gmail) account, we encourage them to create an account, following the quick and simple steps here.

Note

  • National Law University Delhi is an equal opportunity employer.
  • National Law University Delhi reserves the right to conduct telephonic or video interviews. National Law University Delhi is unable to cover the costs of travel, accommodation, etc. for any interviews. 
  • National Law University Delhi reserves the right not to fill these positions.
  • Our selection panel has the discretion to determine which profile/role would be most suitable for each applicant based on their experience, domain understanding and qualifications.
  • The roles, responsibilities and activities enumerated here are indicative and may encompass additional duties related to these.
  • The position is a contractual position and shall be paid under the grants received by the Centre for Communication Governance at National Law University Delhi.
  • We will contact only shortlisted candidates. 

Understanding CERT-In’s Cybersecurity Directions, 2022

Sukanya Thapliyal

“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0

INTRODUCTION

The Indian Government is set to initiate a widely discussed cybersecurity regulation later this month. On April 28, 2022, India’s national agency for computer incident response, also known as the Indian Computer Emergency Response Team (CERT-In), released Directions relating to information security practices, the procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. These Directions were introduced under section 70B(6) of India’s Information Technology Act, 2000 (IT Act). This provision allows CERT-In to call for information and issue Directions to carry out its obligations relating to:
1. facilitating the collection, analysis and dissemination of information related to cyber incidents,
2. releasing forecasts and alerts, and
3. taking emergency measures.

According to the IT Act, the new Directions are mandatory in nature, and non-compliance attracts criminal penalties which includes imprisonment of up to one year. The notification states that the Directions will become effective 60 days from the days of issuance i.e. on June 28, 2022. The Directions were later followed by a separate Frequently Asked Questions (FAQ) document, released as a response to stakeholder queries and concerns.

These Directions have been introduced in response to increasing instances of cyber security incidents which undermine national security, public order, essential government functions, economic development, and security threats against individuals operating through cyberspace. Further, recognizing that the private sector is a crucial component of the digital ecosystem, the Directions also push for closer cooperation between private organisations and government enforcement agencies. Consequently, the Directions have identified sharing of information for analysis, investigation, and coordination concerning the cyber security incidents as one of its prime objectives.

POLICY SIGNIFICANCE OF DIRECTIONS

Presently, Indian cybersecurity policy lacks a definite form. The National Cyber Security Policy (NCSP) was released in 2013 serves as an “umbrella framework for defining and guiding the actions related to security of cyberspace”. However, the policy has seen very limited implementation and has been mired in a multi-year reform which awaits completion. The new cybersecurity strategy is still in the works, and there is no single agency to oversee all relevant entities and hold them accountable.

Cybersecurity policymaking and governance are progressing through different government departments at national and state levels in silos and in a piecemeal manner. Several cybersecurity experts have also identified the lack of adequate technical skills and resource constraints as a significant challenge for government bodies. The Indian cybersecurity policy landscape needs to address these existing and emerging threats and challenges by instilling appropriate security standards, efficient implementation of modern technologies, framing of effective and laws and security policies, and adapting multi-stakeholder approaches within cybersecurity governance.

Industry associations and lobby groups such as US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA), and Information Technology Industry Council (ITI) have responded to the Directions with criticism. These organisations have stated that these Directions, in present format, would negatively impact Indian and global enterprises and undermine cybersecurity. Moreover, the Directions were released without any public consultations and therefore, lack necessary stakeholder inputs from across industry, civil society, academia and technologists.

The new CERT-In Directions mandate covered entities (service providers, intermediaries, data centers, body corporate and governmental organisations) to comply with prescriptive requirements that include time synchronisation of ICT clocks, excessive data retention requirements, 6 hr reporting requirement of cyber incidents, among others. The next section critically evaluates salient features of the Directions.

SALIENT FEATURES OF THE DIRECTIONS

Time Synchronisation: Clause (i) of the Directions mandates service providers, intermediaries, data centers, body corporate and governmental organisations to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. For organisations whose operations span multiple jurisdictions, the Directions allow relaxation by allowing them to use alternative servers. However, the time source of concerned servers should be the same as that of NPL or NIC. Several experts have raised that the requirement as extremely cumbersome, resource-intensive, and not in conformity with industry best practices. As per the established practice, companies often base their decision regarding NTP servers on practicability (lower latency) and technical efficiency. The experts have raised concerns over the technical and resource constraints with NIC and NPL servers in managing traffic volumes, and thus questioning the practical viability of the provision. .

Six-hour Reporting Requirement: Clause (ii) requires covered entities to mandatorily report cyber incidents within six hours of noticing such incidents or being notified about such incidents. The said Direction imposes a stricter requirement than what has been prescribed under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) that allows the covered entities to report the reportable cyber incident within “a reasonable time of occurrence or noticing the incident to have scope for timely action”. The six hour reporting requirement is also stricter than the established norms in other jurisdictions, including the USA, EU, UK, and Australia. Such reporting requirements normally range from 24 hours to 72 hours, depending upon the affected sector, type of cyber intrusion, and attack severity. The CERT-In Directions make no such distinctions in its reporting requirement. Further, the reportable cyber security incidents under Annexure 1 feature an expanded list of cyber incidents (compared to what are mentioned in the CERT-In Rules). These reportable cyber incidents are defined very broadly and range from unauthorised access to systems, identity theft, spoofing and phishing attacks to data branches and data theft. Considering that an average business entity with digital presence engages in multiple digital activities and there is no segregation on the basis of scale or severity of incident, the Direction may be impractical to achieve, and may create operational/compliance challenges for many smaller business entities covered under the Directions. Government agencies often require business entities to comply with incident/breach reporting requirements to understand macro cybersecurity trends, cross-cutting issues, and sectoral weaknesses. Therefore, governments must design cyber incident reporting requirements tailormade to sectors, severity, risk and scale of impact. Not making these distinctions can make reporting exercise resource-intensive and futile for both affected entities and government enforcement agencies.

Maintenance of logs for 180 days for all ICT systems within India: Clause (iv) mandates covered entities to maintain logs of all the ICT systems for a period of 180 days and to store the same within Indian jurisdiction. Such details may be provided to CERT-In while reporting a cyber incident or otherwise when directed. Several experts have raised concerns over a lack of clarity regarding scope of the provision. The term “all ICT systems” in its present form could include a huge trove of log information that may extend up to 1 Terabyte a day. It further requires the entities to retain log information for 180 days as opposed to the current industry practice (30 days). This Direction is not in line with the purpose limitation and the data minimisation principles recognized widely in several other jurisdictions including EU’s General Data Protection Regulation (GDPR) and does not provide adequate safeguard against indiscriminate data collection that may negatively impact the end users. Further, many experts have pointed out that the concerned Direction lacks transparency and is detrimental to the privacy of the users. As the log information often carries personally indefinable information (PII), the provision may conflict with users informational privacy rights. CERT-In’s Directions are not sufficiently clear on the safeguard measures to balance legal enforcement objectives with the fundamental rights.

Strict data retention requirements for VPN and Cloud Service Providers: Clause (v) requires “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” to register accurate and detailed information regarding subscribers or customers hiring the services for a period of 5 years or longer after any cancellation or withdrawal of the registration. Such information shall include the name, address, and contact details of subscribers/ customers hiring the services, their ownership pattern, the period of hire of such services, and e-mail ID, IP address, and time stamp used at the time of registration. Clause (vi) directs virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all KYC records and details of all financial transactions for a five year period. These Directions are resource-intensive and would substantially increase the compliance cost for many companies. It is also important to note that bulk data retention for a longer time period also creates greater vulnerabilities and attack surfaces of private/sensitive/commercial ICT use. As India is still to enact its data protection law, and the Directions are silent on fundamental rights safeguards, it has also led to serious privacy concerns. Further, some entities covered under this direction, including VPS or VPN providers, are privacy and security advancing services that operate on a strict no-log policy. VPN services provide a secure channel for storing and sharing information by individuals and businesses. VPNs are readily used by the business and individuals to protect themselves on unsecured, public Wifi networks, prevent website tracking, protect themselves from malicious websites, against government surveillance, and for transferring sensitive and confidential information. While VPNs have come under fire for being used by cybercriminals and other malicious actors, a blanket requirement for maintaining logs and excessive data retention requirement goes against the very nature of the service and may render these services pointless (and even insecure) for many users. The Frequently Asked Questions (FAQs), released following the CERT-In Directions have absolved the Enterprise/Corporate VPNs from the said requirement. However, the Directions still stand for VPN Service providers that provide “Internet proxy like services” to general Internet subscribers/users. As a result, some of the largest VPN service providers including NordVPN, and PureVPN have indicated the possibility of pulling their servers out of India and quitting their operations in India.

In a separate provision [Clause (iii)], CERT-In has also directed the service providers, intermediaries, data centers, body corporate, and government organisations to designate a point of contact to interface with CERT-In. The Directions have also asked the covered entities to provide information or any other assistance that CERT-In may require as part of cyber security mitigation actions and enhanced cyber security situational awareness.

CONCLUSION

Our ever-growing dependence on digital technology and its proceeds has exposed us to several vulnerabilities. Therefore, the State plays a vital role in intervening through concrete and suitable policies, institutions and digital infrastructures to protect against future cyber threats and attacks. However, the task is too vast to be handled by the governments alone and requires active participation by the private sector, civil society, and academia. While the government has a broader perspective of potential threats through law enforcement and intelligence organisations and perceives cybersecurity concerns from a national security lens, the commercial and fundamental rights dimensions of cybersecurity would benefit from inputs from the wider stakeholder community across the cybersecurity ecosystem.

Although in recent years, India has shown some inclination of embracing multi-stakeholder governance within cybersecurity policymaking, the CERT-In Directions point in the opposite direction. Several of the directions mentioned by the CERT-In, such as the six-hour reporting requirement, excessive data retention requirements, synchronisation of ICT clocks indicate that the government appear to adopt a “command and control” approach which may not be the most beneficial way of approaching cybersecurity issues. Further, the Directions have also failed to address the core issue of capacity constraints, lack of skilled specialists and lack of awareness which could be achieved by establishing a more collaborative approach by partnering with the private sector, civil society and academia to achieve the shared goal of cybersecurity. The multi stakeholder approaches to policy making have stood the test of time and have been successfully applied in a range of policy space including climate change, health, food security, sustainable economic development, among others. In cybersecurity too, the need for effective cross-stakeholder collaboration is now recognised as a key to solving difficult and challenging policy issues and produce credible and workable solutions. The government, therefore, needs to affix institutions and policies that fully recognize the need and advantages of taking up multi stakeholder approaches without compromising accountability systems that give due consideration to security threats and safeguard citizen rights.

Guest Post: Evaluating MIB’s emergency blocking power under Rule 16 of the 2021 IT Rules (Part II)

This post is authored by Dhruv Bhatnagar

Part I of this two part-series examined the contours of Rule 16 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 IT Rules”), and the  Bombay High Court’s rationale for refusing to stay the rule in the Leaflet case. This second part examines the legality and constitutionality of Rule 16. It argues that the rule’s constitutionality may be contested because it deprives impacted content publishers of a hearing when their content is restricted. It also argues that the MIB should provide information on blocking orders under Rule 16 to allow them to be challenged, both by users whose access to information is curtailed, and by publishers whose right to free expression is restricted.

Rule 16’s legality

At its core, Rule 16 is a legal provision granting discretionary authority to the government to take down content. Consistently, the Supreme Court (“SC”) has maintained that to be compliant with Article 14, discretionary authority must be backed by adequate safeguards.[1] Admittedly, Rule 16 is not entirely devoid of safeguards since it envisages an assessment of the credibility of content blocking recommendations at multiple levels (refer Part I for context). But this framework overlooks a core principle of natural justice – audi alteram partem (hear the other side) – by depriving the impacted publishers of a hearing.

In Tulsiram Patel, the SC recognised principles of natural justice as part of the guarantee under Article 14 and ruled that any law or state action abrogating these principles is susceptible to a constitutionality challenge. But the SC also found that natural justice principles are not absolute and can be curtailed under exceptional circumstances. Particularly, audi alteram partem, can be excluded in situations where the “promptitude or the urgency of taking action so demands”.

Arguably, the suspension of pre-decisional hearings under Rule 16 is justifiable considering the rule’s very purpose is to empower the Government to act with alacrity against content capable of causing immediate real-world harm. However, this rationale does not preclude the provision of a post-decisional hearing under the framework of the 2021 IT Rules. This is because, as posited by the SC in Maneka Gandhi (analysed here and here), the “audi alteram partem rule is sufficiently flexible” to address“the exigencies of myriad kinds of situations…”. Thus, a post-decisional hearing to impacted stakeholders, after the immediacy necessitating the issuance of interim blocking directions had subsided, could have been reasonably accommodated within Rule 16. Crucially, this would create a forum for the State to justify the necessity and proportionality of its speech restriction to the individuals’ impacted (strengthening legitimacy) and the public at large (strengthening the rule of law and public reasoning). Finally, in the case of ex-facie illegal content, originators are unlikely to avail of post-facto hearings, mitigating concerns of a burdensome procedure.       

Rule 16’s exercise by MIB

Opacity

MIB has exercised its power under Rule 16 of the 2021 IT Rules on five occasions. Collectively, it has ordered the blocking of approximately 93 YouTube channels, 6 websites, 4 Twitter accounts, and 2 Facebook accounts. Each time, MIB has announced content blocking only through press releases after theorders were passed but has not disclosed the actual blocking orders.

MIB’s reluctance to publish its blocking orders renders the manner it is exercising power under Rule 16 opaque. Although press statements inform the public that content has been blocked, blocking orders are required (under Rule 16(2) and Rule 16(4)) to record the reasons for which the content has been blocked. As discussed above, this limits the right to free expression of the originators of the content and denies them the ability to be heard.

Additionally, content recipients, whose right to view content and access information is curtailed through such orders, are not being made aware of the existence of these orders by the Ministry directly. Pertinently, the 2021 IT Rules appear to recognise the importance of informing users about the reasons for blocking digital content. This is evidenced by Rule 4(4), which requires ‘significant social media intermediaries’ to display a notice to users attempting to access proactively disabled content. However, in the absence of similar transparency obligations upon MIB under the 2021 IT Rules, content recipients aggrieved by the Ministry’s blocking orders may be compelled to rely on the cumbersome mechanism under the Right to Information Act, 2005 to seek the disclosure of these orders to challenge them.   

Although the 2021 IT Rules do not specifically mandate the publication of blocking orders by MIB, this obligation can be derived from the Anuradha Bhasin verdict. Here, in the context of the Telecom Suspension Rules, the SC held that any order affecting the “lives, liberty and property of people” must be published by the government, “regardless of whether the parent statute or rule prescribes the same”. The SC also held that the State should ensure the availability of governmental orders curtailing fundamental rights unless it claims specific privilege or public interest for refusing disclosure. Even then, courts will finally decide whether the State’s claims override the aggrieved litigants’ interests.

Considering the SC’s clear reasoning, MIB ought to make its blocking orders readily available in the interest of transparency, especially since a confidentiality provision restricting disclosure, akin to Rule 16 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (“2009 Blocking Rules”), is absent in the 2021 IT Rules.   

Overuse

Another concerning trend is MIB’s invocation of its emergency content-blocking power as the norm rather than the exception it was meant to be. For context, the 2021 IT Rules provide a non-emergency blocking process under Rules 14 and 15, whereunder impacted publishers are provided a pre-decisional hearing before an Inter-Departmental Committee required to be constituted under Rule 13(1)(b). However, thus far, MIB has exclusively relied on its emergency power to block ostensibly problematic digital content, including fake news.

While the Bombay High Court in the Leaflet case declined to expressly stay Rule 14 (noting that the Inter-Departmental Committee was yet to be set up) (¶19), the High Court’s stay on Rule 9(3) creates a measure of ambiguity as to whether Rules 14 and 15 are currently in effect. This is because Rule 9(3) states that there shall be a government oversight mechanism to “ensure adherence to the Code of Ethics”. A key part of this mechanism is the Inter-Departmental Committee whose role is to decide “violation[s] or contravention[s] of the Code of Ethics” (Rule 14(2)). The High Court even notes that it is “incomprehensible” how content may be taken down under Rule 14(5) for violating the Code of Ethics (¶27). Thus, despite the Bombay High Court’s refusal to stay Rule 14, it is arguable that the High Court’s stay on the operation of Rule 9(3) to prevent the ‘Code of Ethics’ from being applied against online news and curated content publishers, may logically extend to Rule 14(2) and 15. However, even if the Union were to proceed on a plain reading of the Leaflet order and infer that the Bombay High Court did not stay Rules 14 and 15, it is unclear if the MIB has constituted the Inter-Departmental Committee to facilitate non-emergency blocking.     

MeitY has also liberally invoked its emergency blocking power under Rule 9 of the 2009 Blocking Rules to disable access to content. Illustratively, in early 2021 Twitter received multiple blocking orders from MeitY, at least two of which were emergency orders, directing it to disable over 250 URLs and a thousand accounts for circulating content relating to farmers’ agitation against contentious farm laws. Commentators have also pointed out that there are almost no recorded instances of MeitY providing pre-decisional hearings to publishers under the 2009 Blocking Rules, indicating that in practice this crucial safeguard has been rendered illusory.  

Conclusion

Evidently, there is a need for the MIB to be more transparent when invoking its emergency content-blocking powers. A significant step forward in this direction would be ensuring that at least final blocking orders, which ratify emergency blocking directions, are made readily available, or at least provided to publishers/originators. Similarly, notices to any users trying to access blocked content would also enhance transparency. Crucially, these measures would reduce information asymmetry regarding the existence of blocking orders and allow a larger section of stakeholders, including the oft-neglected content recipients, the opportunity to challenge such orders before constitutional courts.

Additionally, the absence of hearings to impacted stakeholders, at any stage of the emergency blocking process under Rule 16 of the 2021 IT Rules limits their right to be heard and defend the legality of ‘at-issue’ content. Whilst the justification of urgency may be sufficient to deny a pre-decisional hearing, the procedural safeguard of a post-decisional hearing should be incorporated by MIB.

The aforesaid legal infirmities plague Rule 9 of the 2009 Blocking Rules as well, given its similarity with Rule 16 of the 2021 IT Rules. The Tanul Thakur case presents an ideal opportunity for the Delhi High Court to examine and address the limitations of these rules. Civil society organisations have for years advocated (here and here) for incorporation of a post-decisional hearing within the emergency blocking framework under the 2009 Blocking Rules too. Its adoption and diligent implementation could go a long way in upholding natural justice and mitigating the risk of arbitrary content blocking.


[1] State of Punjab v. Khan Chand, (1974) 1 SCC 549; Virendra v. The State of Punjab & Ors., AIR 1957 SC 896; State of West Bengal v. Anwar Ali, AIR 1952 SC 75.

Guest Post: Evaluating the legality of MIB’s emergency blocking power under the 2021 IT Rules (Part I)

This post is authored by Dhruv Bhatnagar

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 IT Rules”) were challenged before several High Courts (refer here and here) almost immediately after their promulgation. In one such challenge, initiated by the publishers of the online news portal ‘The Leaflet’, the Bombay High Court, by an order dated August 14, 2021,  imposed an interim stay on the operation of Rules 9(1) and (3) of the 2021 IT Rules. Chiefly, this was done because these provisions subject online news and curated content publishers to a vaguely worded ‘code of ethics’, adherence to which would have had a ‘chilling effect’ on their freedom of speech. However, the Bombay High Court refused to stay Rule 16 of these rules, which empowers the Ministry of Information and Broadcasting (“MIB”) to direct blocking of digital content during an “emergency” where “no delay is acceptable”.

Part I of this two-part series, examines the contours of Rule 16 and argues that the Bombay High Court overlooked the procedural inadequacy of this rule when refusing to stay the provision in the Leaflet case. Part II assesses the legality and constitutionality of the rule.

Overview of Rule 16

Part III of the 2021 IT Rules authorises the MIB to direct blocking of digital content in case of an ‘emergency’ in the following manner:

The MIB has correctly noted that Rule 16 is modelled after Rule 9 of the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (“2009 Blocking Rules”) (analysed here), and confers upon the MIB similar emergency blocking powers which the Ministry of Electronics and Information Technology (“MeitY”) has possessed since 2009. Both provisions confer discretion upon authorised officers to determine what constitutes an emergency but fail to provide a hearing to impacted publishers or intermediaries at any stage.

Judicial findings on Rule 16

The Bombay High Court’s order in the Leaflet case is significant since it is the first time a constitutional court has recorded its preliminary findings on the rule’s legitimacy. Here, the Bombay High Court refused to stay Rule 16 primarily for two reasons. First, the High Court held that Rule 16 of the 2021 IT Rules is substantially similar to Rule 9 of the 2009 Blocking Rules, which is still in force. Second, the grounds upon which Rule 16 permits content blocking are coextensive with the grounds on which speech may be ‘reasonably restricted’ under Article 19(2) of the Indian Constitution. Respectfully, the plausibility of this reasoning is contestable:

Equivalence with the 2009 Blocking Rules: Section 69A of the IT Act and the 2009 Blocking Rules were previously challenged in Shreya Singhal, where both were upheld by the Supreme Court (“SC”). However, establishing an equivalence between Rule 16 of the 2021 IT Rules and Rule 9 of the 2009 Blocking Rules to understand the constitutionality of the former would have been useful only if Shreya Singhal contained a meaningful analysis of Rule 9. However, the SC did not examine this rule but rather broadly upheld the constitutionality of the 2009 Blocking Rules as a whole due to the presence of certain safeguards including: (a) the non-emergency process for content blocking under the 2009 Blocking Rules includes a pre-decisional hearing to identified intermediaries/originators before content was blocked; and (b) the 2009 Blocking Rules mandate the recording of reasons in blocking orders so that they may be challenged under Article 226 of the Constitution

However, the SC did not consider that the emergency blocking framework under Rule 9 of the 2009 Blocking Rules not only allows MeitY to bypass the essential safeguard of a pre-decisional hearing to impacted stakeholders but also fails to provide them with either a written order or a post-decisional hearing. It also did not address that Rule 16 of the 2009 Blocking Rules, which mandates confidentiality of blocking requests and subsequent actions, empowers MeitY to refuse disclosure of blocking orders to impacted stakeholders thus depriving them of the opportunity to challenge such orders.

In fact, Rule 16 was cited by MeitY as a basis for denying film critic Mr. Tanul Thakur access to the blocking order by which his satirical website ‘Dowry Calculator’ was banned. Mr. Thakur challenged Rule 16 of the 2009 Blocking Rules and highlighted the secrecy with which MeitY exercises its blocking powers in a writ petition which is being heard by the Delhi High Court. Recently, through an interim order dated 11 May 2022, the Delhi High Court directed MeitY to provide Mr. Thakur with a copy of the blocking order blocking his website, and offer him a post-decisional hearing. This is a significant development since it is the first recorded instances of such a hearing being provided to an originator under the 2009 Blocking Rules.

Thus, the Bombay High Court’s attempt in the Leaflet case to claim equivalence with Rule 9 of the 2009 Blocking Rules as a basis to defend the constitutionality of Rule 16 of the 2021 IT Rules was inapposite since Rule 9 itself was not substantively reviewed in Shreya Singhal, and its operation has since been challenged on constitutional grounds.

Procedural safeguards: Merely because Rule 16 of the 2021 IT Rules permits content blocking only under the circumstances enumerated under Article 19(2), does not automatically render it procedurally reasonable. In People’s Union of Civil Liberties (“PUCL”) the SC examined the procedural propriety of Section 5(2) of the Telegraph Act, 1885, which permits phone-tapping. Even though this provision restricts fundamental rights only on constitutionally permissible grounds, the SC found that substantive law had to be backed by adequate procedural safeguards to rule out arbitrariness. Although the SC declined to strike down Section 5(2) in PUCL, it framed interim guidelines to govern the provision’s exercise to compensate for the lack of adequate safeguards.

Since Rule 16 restricts the freedom of speech, its proportionality should be tested as part of any meaningful constitutionality analysis. To be proportionate, restrictions on fundamental rights must satisfy four prongs[1]: (a) legality – the requirement of a law having a legitimate aim; (b) suitability – a rational nexus between the means adopted to restrict rights and the end of achieving this aim, (c) necessity – proposed restrictions must be the ‘least restrictive measures’ for achieving the aim; and (d) balancing – balance between the extent to which rights are restricted and the need to achieve the aim. Justice Kaul’s opinion in Puttaswamy (9JB) also highlights the need for procedural safeguards against the abuse of measures interfering with fundamental rights (para 70 Kaul J).  

Arguably, by demonstrating the connection between Rule 16 and Article 19(2), the Bombay High Court has proven that Rule 16 potentially satisfies the ‘legality’ prong. However, even at an interim stage, before finally ascertaining Rule 16’s constitutionality by testing it against the other proportionality parameters identified above, the Bombay High Court should have considered whether the absence of procedural safeguards under this rule merited staying its operation.

For these reasons, the Bombay High Court could have ruled differently in deciding whether to stay the operation of Rule 16 in the Leaflet case. While these are important considerations at the interim stage, ultimately the larger question of constitutionality must be addressed. The second post in this series will critically examines the legality and constitutionality of Rule 16.


[1] Modern Dental College and Research Centre and Ors. v. State of Madhya Pradesh and Ors., (2016) 7 SCC 353; Justice K.S. Puttaswamy & Ors. v. Union of India (UOI) & Ors., (2019) 1 SCC 1; Anuradha Bhasin and Ors. v. Union of India (UOI) & Ors., (2020) 3 SCC 637.

Protecting Privacy: A Case Against State Interference Through Restitution of Conjugal Rights

Recent judicial decisions have transformed our understanding of privacy, autonomy, and equality; significantly so post the Supreme Court’s Puttaswamy I judgement. In Puttaswamy I, the Court reaffirmed privacy as a fundamental right grounded in the ideas of autonomy and dignity. An important consequence of this understanding of privacy is its impact on questions of individual privacy within the confines of a marriage. For example, in a recent case on the subject of marital rape, the Karnataka High Court allowed rape charges against the husband and emphasised the importance of reinforcing the right to equality and the right to individual autonomy and dignity of a woman within a marriage.

One such provision within family law that raises concerns about individual autonomy and privacy within marriage is the Restitution of Conjugal Rights (‘RCR’). It is a legal remedy available to spouses where one spouse deserts the other without a ‘reasonable’ excuse or on certain ‘unlawful’ grounds. In such cases, the ‘aggrieved’ party has the right to seek a decree for RCR, by which a court order may direct the deserting party to compulsory cohabit with the ‘aggrieved’ party. The remedy of RCR is provided for under Section 9 of the Hindu Marriage Act, 1955 as well as, Muslim Personal Law, the Parsi Marriage and Divorce Act, 1936 (S. 36), the Indian Divorce Act, 1869 (S. 32-33), and the Special Marriage Act, 1954 (S. 22). Generally, if a person fails to comply with a RCR decree a court can attach their property under the Civil Procedure Code (Order 21, Rule 32).

In this post, I analyse the State’s objectives in providing spouses with the RCR remedy and argue that the remedy itself violates the right to privacy under Article 21 by failing to satisfy the test of proportionality.

Privacy, autonomy, and State interference

State regulation of domestic relations has seen laws governing marriage, divorce, adultery, and sexual relations between consenting adults, for example the criminalisation of homosexuality. Marriage is a social contract recognised by the State and to a certain extent, is also subject to regulation by the State. Although regulations around marriage may be for a variety of reasons, it may be argued that they serve two key interests: protection of individual rights, and the State objective to protect the institution of marriage (often articulated as maintaining cultural ethos and societal values). Examples of the former rationale include laws recognising domestic violence, cruelty, and prioritising individual autonomy by providing divorce as a remedy. The latter rationale can be seen in laws criminalising adultery and homosexuality (both of which have been struck down by the Supreme Court of India post Puttaswamy I) and providing restitution of conjugal rights as a remedy. However, by protecting the institution of marriage, the State also protects a particular conceptionof that institution, specifically the socially accepted notion of a monogamous, heterosexual, and procreative marriage.

It is widely accepted that RCR is an archaic English law (from a time when cohabitation was expected of women) that, as the Bombay High Court noted in 1885, did not exist prior to colonial rule. However, the remedy was codified in the Hindu Marriage Act in 1955 even after India achieved independence and continues to exist despite its patriarchal connotations. The 71st Law Commission Report of 1978 (page no. 27, para 6.5) emphasised the importance of cohabitation to protect the ‘sanctity of marriage’. The High Court of Delhi, in Harvinder Kaur vs. Harmander Singh Choudhry (1984) also adopted this view and held that the restitution of conjugal rights is an important remedy to protect the institution of marriage. The Delhi High Court rejected privacy considerations by stating that a decree of RCR was not the “starkest form of governmental intervention into marital privacy” since it merely aims to restore cohabitation and does not enforce sexual intercourse. As I argue below, this reasoning raises questions about individual autonomy. However, the Delhi High Court’s rationale was accepted by the Supreme Court in Saroj Rani vs. Sudarshan Kumar Chadha (1984), where the apex Court upheld the constitutionality of RCR and reiterated that the right to cohabitation is “inherent in the very institution of marriage itself.”  

This view of RCR — to preserve the institution/ sanctity of marriage — creates tensions with the objective of the State to protect individual rights. An RCR decree interferes with the right to privacy and autonomy by compelling an individual to cohabit with their spouse against their will. This may especially be true after the articulation of the right to privacy by the Supreme Court in Puttaswamy I. The decree of RCR creates an unwanted intrusion into a person’s personal life by denying them autonomy over where they live, and also potentially on the sites of sexual and reproductive decision making. Any analysis of RCR must recognise the power asymmetry within domestic relations that pervasively results in women being subject to physical and sexual violence at home. Thus, contrary to the reasoning given by courts in Harvinder Kaur and Saroj Rani, by compelling women to cohabit with men they have deserted, a decree of RCR may place women at significant risk of domestic violence, economically compromised living conditions, and non-consensual sexual intercourse.

The Andhra Pradesh High Court in T Sareetha vs. Venkata Subbaiah in 1983 recognised that the grant of an RCR decree would amount to an interference of the State into the private sphere, compelling cohabitation or even indirectly, sexual intercourse. The High Court found that this interference of the State through RCR violated the right to privacy, autonomy, and dignity of the individual against whom the decree was sought by ‘transferring the decision to have or not have marital intercourse from the individual to the State’. This decision was overruled by the Supreme Court’s Saroj Rani decision in 1984. While the Puttaswamy 1 judgement in 2017 did not expressly refer to Sareetha, all nine judges broadly adopted the approach taken in the Sareetha judgement, adopting a conception of privacythat recognises its basis in individual autonomy and dignity.

In Puttaswamy I, the Supreme Court ruled that individual autonomy, that recognises the ability of individuals to control vital aspects of their life (including reproductive rights, sexual orientation, gender identity), is an intrinsic part of the right to privacy guaranteed under Article 21 of the Constitution. By this reasoning, a decree of RCR does not account for the right to autonomy of an individual and violates their right to privacy by legally compelling the individual to cohabit despite them making a conscious choice to separate from their spouse.

In recent years, there has been a shift in the thinking of courts, where the right to individual privacy and autonomy is prioritised as opposed to protection of the institution (and specific conceptions of that institution) of marriage. For instance, in Joseph Shine, the Supreme Court held that the law that criminalised adultery treated women as property and was unconstitutional. It opined that although the criminalisation of adultery was introduced to protect the institution of marriage, it serves the interests of one party and denies agency to women. The Court noted –

“The provision is proffered by the legislature as an effort to protect the institution of marriage. But it proceeds on a notion of marriage which is one sided and which denies agency to the woman in a marital tie. The ability to make choices within marriage and on every aspect concerning it is a facet of human liberty and dignity which the Constitution protects.”

Bearing in mind this view of the court, RCR would not stand up to judicial scrutiny as a constitutionally valid right, since it disregards the autonomy and dignity of an individual under the notion of the State aim to protect the institution of marriage.

The proportionality test

In 2017, Puttaswamy I laid down a four-part test for determining the validity of an infringement of the right to privacy. The test’s first limb necessitates the existence of a codified law, which is met with in the case of RCR through various statutory provisions. The test also requires the existence of procedural safeguards against abuse of State interference, which is of reduced significance in the case of RCR as both a RCR decree and post-decree attachment of property require prior judicial authorisation and oversight. In addition to the need for statutory authorisation and procedural safeguards, for an infringement to be valid it must satisfy the limbs of legitimate aim, necessity, and proportionality. The Puttaswamy II (Aadhar) case applied this test, which was first articulated in the Modern Dental College judgement in 2016. This test requires:

  1. any limitation of a constitutional right is enforced for a proper purpose (legitimate aim);
  2. there is a rational nexus between the proper purpose and the measure adopted to achieve it and there are no alternative measures which would achieve the purpose but are less restrictive of rights (necessity); and
  3. the restriction on the constitutional right must be proportionate to the purpose set out by the State (balancing or proportionality).

Firstly, it must be noted that, as observed by the Supreme Court in Saroj Rani, the stated purpose of the measure is protecting the institution of marriage. As stated above, in Joseph Shine the Supreme Court rejected the State’s argument that protecting the institution of marriage was a proper purpose where the State’s measure protected “a notion of marriage that is one sided and denies agency to women.”. In this context, RCR only protects a notion of marriage where individuals cohabit and engage in sexual intercourse, denying agency to individuals and violating individual autonomy. Secondly, the decree of RCR should have a rational nexus with the aim of protecting the institution of marriage. In this regard, it is relevant to note that, in certain instances, individuals routinely file RCR cases expecting non-compliance by the other party, using this non-compliance with the RCR decree as a ground for divorce. Thus, the historically dominant objective of the State of “protecting” the institution of marriage through the positive remedy of RCR may also not be satisfied.

Even if RCR furthers the State’s aim of protecting marriage, it would need to pass the third prong of the proportionality test, i.e., the State must meet the objective of the law through the ‘least restrictive measure’. The State could resort to alternate measures, similar to the ones observed under divorce petitions; an order of mediation or a ‘cooling off’ period provisioned in cases of divorce with mutual consent furthers the aim of protecting the institution of marriage without violating individual rights. However, in a decree of RCR there persists a violation of an individual’s privacy, enforced by coercion through the attachment of property.

The fourth part of the proportionality test emphasises the need to have a balance between the interest of the State and the rights of individuals. As stated earlier, the infringement of individual rights through an RCR decree creates severe consequences that violate the right to privacy and autonomy of an individual, including putting women in particular, at risk of harm. Thus, the gravity of the rights violation arguably outweighs the State interest of protecting marriage, especially since the State aim is often not met and the decree becomes a ground for divorce.

The application of the test of proportionality by Indian courts has garnered criticism as being deferential to the State. However, even with this deferential application, as demonstrated above, RCR would likely not pass the four-part test of proportionality endorsed by the courts in Modern Dental College and Aadhaar.

Conclusion

In the post-Puttaswamy era, various High Courts have recognised the autonomy and dignity of women within marriage under the fundamental right to privacy. For instance, in a recent right to abortion case, the High Court of Kerala relied on Puttaswamy I and held that a woman’s autonomy of body and mind with respect to reproductive decisions are part of the right to privacy. As discussed above, the High Court of Karnataka, in its recent decision, while allowing rape charges against the husband, acknowledged that the exception of marital rape stems from an archaic notion of marriage where the wife was considered property. On similar grounds, one may argue that RCR should be considered invalid since it is based on the outdated notion of marriage where the wife was considered the property of the husband and had no individual autonomy of her own. As noted above, it is also incompatible with the test of proportionality.

On 30 December, 2021, the Gujarat HC observed that an RCR decree could not force a woman to cohabit with her husband. The court recognised that a decree of RCR needs to consider both the parties’ and not solely the ‘right of the husband’. Further, it opined that the very fact that there exists an option given to not comply with the RCR decree under the Civil Procedure Code indicates that the court cannot force a woman to cohabit against her will. The court further laid down certain grounds under which a person could refuse to comply with an RCR decree including cruelty, adultery, and failure of the husband in performing marital obligations. Although this decision seems to encourage considering the rights of women in a marital relationship – it fails to reaffirm the right to privacy and autonomy of the subject of the decree against a law that is effectively discriminatory. It grants power to the courts to decide on a case-to-case basis whether the right can be granted, which could lead to a potential violation of individual rights given the nature of this provision.

Striking down RCR provisions does not mean that there must be a complete embargo on the interference of the State into marriage – for example, the power asymmetry in domestic relationships necessitates the enforcement of laws against domestic violence and most likely requires the criminalisation of marital rape. However, taking into consideration the constitutional scrutiny of laws against the backdrop of State interference and right to privacy, RCR may not stand the test of constitutionality. Currently, a petition challenging the constitutionality of RCR is pending before the Supreme Court – if the above arguments are considered by the court, RCR may be struck down on the grounds that it violates the right to privacy.

This post was originally published on Livelaw on 26 April 2022.

Analysing India’s Bilateral MOUs In the Field of Information and Communication Technologies (ICTs)

Sukanya Thapliyal

Introduction

As per the latest figures released by the International Telecommunication Union (ITU), post-COVID-19, the world witnessed a sharp rise in the number of internet users from 4.1 billion people (54% of the world population) in 2019 to 4.9 billion people (63% of the world population) in 2021. However, the same report states that some 2.9 billion people remain offline, 96%  of whom live in developing countries. These stark differences emanate from several barriers faced by the residents of the developing countries and include lack of access because of unaffordability of ICT services, lack of strong technological and industrial bases, inadequate R&D facilities, and deficient ICT operating skills

Countries are increasingly exploring different ways to partner with other countries through multilateral, bilateral, and other legal arrangements. The countries often forge bilateral cooperation with other countries through signing Memorandum of Understanding(MOUs), Memorandum of Cooperation (MOCs) and creating Joint Working Groups, and Joint Declarations of Intent, among others. These are informal legal instruments as compared to typical treaties or international agreements, and promote international cooperation in strategic interest areas. India has a detailed Standard Operating Procedure (SOP) with respect to MOUs/agreements with foreign countries. The SOP lays down the Indian legal practice on treaty formation and detailed guidelines in respect to the different international agreements that may be signed by the countries. 

India has executed several MOUs, MOCs, Joint Declaration of Intent, and Working Groups to identify common interests, priorities, policy dialogue, and the necessary tools for ICT collaboration. These include a broad range of areas,  including the development of IT software,  telecom software, IT-enabled services, E-commerce services & information security, electronic governance, IT and electronics hardware, Human Resource Development for IT education, IT-enabled education, Research and Development, strengthening the cooperation between private and public sector, collaboration in the field of emerging technologies, capacity building and technical assistance in the ICT sector. 

Aims and Objectives

This mapping exercise lists the numerous bilateral MOUs, Joint Declarations and other agreements signed between India and partner countries to locate the nature and extent of international collaborative efforts in the ICT sector. Furthermore, this mapping exercise aims to understand India’s strategic interests and priority areas in the sector and evaluate India’s unique positioning in South-South Cooperation. The said mapping exercise remains a work in progress and shall be updated at periodic intervals. 

Methodology

The mapping exercise includes an assessment of 36 MOUs and 5 other agreements subdivided into four categories: Fixed Term/ Renewed ICT MOUs (13), Open-Ended ICT MOUs (4), ICT MOUs with Pending Renewal/ Extension and Expired MOUs (19), and Joint Declaration and Proposals concerning ICT Sector (5). The relevant details of  such MOUs are derived from publicly available information provided by the Ministry of Electronics and Information Society (MeitY), Department of Telecommunication (DoT), Ministry of Communications (MOC) and the Indian Treaties Database by Ministry of External Affairs (MEA). The current analysis attempts to bring out the different MOUs, MOCs, and Joint Declarations of Intent executed by Indian authorities (MeitY, MOC and MEA), their duration of operation and the areas covered under the scope of such collaboration.   

Conclusion/Observations/Remarks:

Some of our key observations from the mapping exercise are as follows: 

  • India has entered into MOUs/ Joint Declaration of Intent and other agreements with both developed and developing countries. These include Bangladesh, Bulgaria, Estonia, Israel, Japan, South Korea, Singapore, United Kingdom, among others. 
  • Within India’s ICT cooperation and collaboration landscape, we have identified the following as priority areas: 
Building capacity of CERTs and law enforcement agencies1. Cybersecurity technology cooperation relevant to CERT activities.
2. Exchange of information on prevalent cybersecurity policies and best practices.
3. CERT-to-CERT Cooperation.
4. Exchange of experiences regarding technical infrastructure of CERT.
Technical assistance and capacity building1. Human resource development including  training of Govt. officials in e-governance.
2. Institutional cooperation among the academic and training institutions.
3. Strengthening collaboration in areas such as e-government, m-governance, smart infrastructure, e-health, among others.
Sharing of technology, standardization and certification1. Cooperation in software development, rural telecommunication, manufacturing of telecom manufacturing and sharing of know-how technologies.
2. Cooperation in exchanging and developing technology.
3. Standardisation, testing and certification.
B2B cooperation and economic advancement1. Enhancing B2B cooperation in cyber security.
2.Enable and strengthen industrial, technological and commercial cooperation between industry and research establishments.
3.Exploring third country markets.
4. Favourable environment for the business entities through various measures to facilitate trade and investment.
Key Priority Areas for India in ICT Sector

Mapping MOUs signed by India in the field of Information and Communication Technologies (ICT), created using https://www.mapchart.net/world.html