Update from the Supreme Court – Aadhaar linking and Sabu Mathew George vs. Union of India

Aadhaar linking 

With regard to the pending matter of linking Aadhaar with certain services, the Bench stated that the hearing for interim relief would take place tomorrow (14/12). In addition, the Centre issued a notification on the 12th of December, stating that the deadline for linking Aadhaar with bank accounts, which was the 31st of December, was extended indefinitely. On the 13th of December however, this deadline was fixed as the 31st of March. Our coverage of the Aadhaar linking matter can be found here and here.

Sabu Mathew George vs. Union of India

Today, the Supreme Court heard the ongoing matter of Sabu Mathew George vs. Union of India. In 2008, a petition was filed to ban advertisements endorsing sex-selective abortions from search engine results. Advertisements endorsing sex selective abortions are illegal under Section 22 of the PNDT Act (The Pre-conception and Pre-Natal Diagnostic Techniques Act), 1994 Act. Several orders have been passed over the last few years, the last of which was passed on April 13th, 2017. Following from these orders, the Court had directed the Centre to set up a nodal agency where complaints against sex selective ads could be lodged. The Court had also ordered the search engines involved to set up an in-house expert committee in this regard. The order dated April 13th stated that compliance with the mechanism in place would be checked hereinafter. Our blog posts covering these arguments and other issues relevant to search neutrality can be found on the following links (1, 2 and 3).

In today’s proceedings, the matter was disposed off.

Senior counsel Sanjay Parikh appearing for the petitioners started off by commenting on the working of the nodal agencies and the limits within which they function. He stated that search engines were ‘washing their hands off’ and trying to pawn off their responsibilities to the government.

Counsel for the respondents argued that the petitioners displayed a fundamentally incorrect understanding of how the internet functioned. They stated that a blanket ban on content, as desired by the petitioners, would not be possible.

The respondents then stated that problematic content was taken down in the time period stipulated in the earlier orders. The petitioners refuted this statement.

The respondents once again stated that the petitioners ‘betrayed a lack of understanding’ of how search engines functioned.

The petitioners stated that search engines have been much more proactive and have had more success in taking down content related to child sexual abuse material and terrorism. As per the petitioners, this implies that search engines are capable of removing content in an efficient manner.

The respondents stated that material relating to sexual abuse usually relates to images and other visuals, as opposed to search terms or words. They stated that this was an important distinction, and would determine the extent to which search engines could efficiently take down content.

Referring to the affidavit filed, the petitioners reiterated that the government and the nodal agency were ‘helpless’ and would need further cooperation to prevent content from disseminating.

To this, the respondents stated that the government of India should block problematic URLs.

The petitioners then drew attention to the magnitude of illegitimate content on the internet, by discussing statistics from a YouTube search.

At this point, Chief Justice Dipak Misra interjected by stating that nodal agencies had to function in a competent manner and ensure that complaints were addressed in the requisite time period.

The petitioners responded stating that nodal agencies were finding it difficult to efficiently regulate content, since the takedown of URLs did not affect the availability of related illegitimate content on the internet.

The respondents then outlined the constraints within which search engines functioned. They stated that a search engine could only de-index illegitimate content on the internet, and that the content would continue to exist on the internet otherwise. They remarked on safe-harbour exceptions and also stated that filtering and indexing is an algorithmic process, which could only be regulated to a certain extent. Reiterating on the algorithmic nature of the process, they stated that ‘one step could not be removed from the process’.

They also reassured the petitioners that any problematic URLs, that they were intimated of, would be removed. However, proxy websites with similar content could still crop up. They stated that the possible permutations and combinations were endless, and eliminating search results was not possible. However, sponsored ads could be dealt with effectively.  They also stated that dealing with every instance of infringement on an individual level would be impossible.

At this point, the Chief Justice asked the respondents to elaborate on what could be done.

The respondents stated that there was a need to understand the technology better.

The Bench then asked the petitioners if they could interact with the committee to better understand technical solutions.

Mr. Parikh, referring to an affidavit filed, stated that Google, in 2014, had displayed the ability to ‘proactively’ takedown content, without being informed by external bodies.

The respondents stated that they would look into this.

The Bench concluded by stating that the nodal agency should hold a meeting with the respondents and the petitioners within 6 weeks.

Chief Justice Dipak Misra read out the order.

Mr. Sanjay Parikh appearing for the petitioners stated that the nodal agency, despite the orders passed, had not been able to stop the offending material from being used. According to Mr. Parikh, search engines alone have the potentiality to deliberately remove offending material. Mr. Parikh has also stated that there are other ways in which offending content can be removed by the search engines.

The counsel for the respondents have stated that content can only be removed once it is pointed out, and once a specific URL is specified. There are other permutations and combinations to consider while regulating search results.

Senior Counsel Pinky Anand has stated that the nodal agency is hard at work and addresses complaints efficiently whenever it receives them.

The matter was disposed off.

 

Advertisements

Update on Aadhaar hearing

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of a fundamental right has been upheld, challenges against the Aadhaar programme are yet to be adjudicated upon.

On the 30th of October, the Chief Justice stated that a Constitution Bench would be constituted and the Aadhaar linking matter would be heard in the last week of November, 2017. More on this can be found in our post here.

Today, the matter was mentioned again.

The Attorney General stated that the hearing should be scheduled for the end of January or the beginning of February, since it would take 6 weeks to conclude. He also made reference to a white paper on data protection the Srikrishna Committee was about to release, and stated that the hearing should commence after these recommendations were considered.

At this point, Mr. Shyam Diwan stated that interim relief in the form of an order should be granted, if the matter could not be heard before the 31st of December. Mr. Diwan reiterated that interim relief was promised if the matter went on beyond the 31st of December.

The Attorney General mentioned that since the matter was of national importance, it would be best for it to be heard before the constitutional bench.

The Chief Justice stated that interim relief would have to be passed by the constitutional bench as well.

Presently, it is unclear whether the matter will be heard next week and dates for hearings in January and February have also not been mentioned.

The road ahead for norms in cyberspace: Moving forward from Tallinn 2.0

by Elizabeth Dominic

Digitalisation has become an integral part of our life. Our increasing reliance on digital infrastructures is linked to the use of cyberspace as a new domain for disrupting international peace and security, with cyber operations becoming an increasingly prominent threat. However, the laws governing such cyber operations remain unclear. There have been some attempts amongst the international community to transpose the existing international law framework to the cyber domain to regulate it. This post will briefly look into the processes that are ongoing for the development of cyberspace norms and will focus specifically on the Tallinn Manual 2.0 and its application of the principle of sovereignty in cyberspace.

The UN Group of Governmental Experts on Developments in the field of information and telecommunications in the context of international security (UN GGE)

The UN adopted digital security as part of its agenda in 1999, following which the UN GGE was formed in 2004. There have been five iterations of the UN GGE. The 2013 and 2015 reports of the UN GGE established that current international law applies to cyberspace and reached some agreement on principles applicable to the responsible behavior of states. A brief discussion of the contributions of the first four UN GGE can be found here. This group collapsed in mid 2017 due to the failure of the states to arrive at a consensus on the application of certain norms of international law (specifically, relating to self defence and countermeasures) in the cyber domain. Accordingly, the future of the group is now uncertain.

The Tallinn Manual Project

As increasing number of states are subjected to cyber operations from rival states and non-state actor groups, it is crucial to establish what laws regulate them to ensure stability, security and accountability. This has been the aim of the group working on the Tallinn Manual. The Tallinn Manual is an international academic initiative that examines the applicability of international law to cyber operations. The project consists of two manuals: Tallinn Manual 1.0 on the International Law Applicable to Cyber Warfare (hereinafter Tallinn Manual 1.0) and Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (hereinafter Tallinn Manual 2.0) published in 2013 and 2017 respectively. The Manuals were prepared by an International Group of Experts under the invitation of the NATO Cooperative Cyber Defense Centre of Excellence following the cyber operations directed against Estonia in 2007. A brief analysis of Tallinn Manual 1.0 can be found here.

Tallin Manual 2.0: Objective

The Tallinn Manual 2.0 is a four-year follow-on project on Tallinn Manual 1.0. It is a compendium of 154 ‘black letter rules’[1] accompanied by a commentary on each rule prepared by a (new) group of international law experts along with the unofficial input of many states. While the Tallinn Manual 1.0 examined how to apply existing international law norms to cyber warfare, the Tallinn Manual 2.0 expanded on this endeavor by extending the focus to cyber operations in general. The former focused on the most severe cyber operations – i.e. the ones that amount to use of force, armed attacks entitling the victim state to engage in self-defense, and/or take place during armed conflicts. The latter additionally examined the application of international law norms to cyber operations that do not satisfy the threshold of use of force or armed attack and take place during peacetime.[2]

Tallinn Manual 2.0 has analyzed a state’s rights and obligations under international law while engaging in cyber actions outside the context of an armed conflict to further national interests. Some of the principal grey areas of law addressed in the Tallinn Manual 2.0 are:[3]

  • The principle of state sovereignty in cyber space
  • How governments can respond within the framework of international law
  • Principle of attribution
  • State responsibility

Additionally, the Tallinn Manual 2.0 addresses various specialized regimes of international law – human rights, air and space law, law of the sea and diplomatic and consular law – in the context of cyber operations.

Tallinn Manual 2.0: Sovereignty in Cyberspace

One of the most politically delicate legal issues that was addressed in depth in Tallinn Manual 2.0 was the application of the concept of sovereignty in cyberspace. Sovereignty is the underlying principle of international law. It is defined as the “supreme authority of every state within its territory”.[4] It entitles a state to engage in the functions of a state within its territory, to the exclusion of other states.[5]

According to the Tallinn Manual 2.0, cyber space is also governed by the principle of sovereignty. Rule 4[6] of Tallinn Manual 2.0 states “A state must not conduct cyber operations that violate the sovereignty of another state”. Tallinn Manual 2.0 lays down two grounds for determining violations of sovereignty:[7] a) degree of infringement upon the target state’s territorial integrity; and b) whether there has been an interference with or usurpation of inherently governmental functions. Determination of the first ground is based on three factors-

1) Physical damage

2) Loss of functionality

3) Infringement falling below the threshold of loss of functionality

There was unanimous consent amongst the experts with respect to the application of first two factors as they have close resemblance to what would entail a violation of sovereignty in the non-cyber context. Regarding the third factor, the experts were divided.

Cyber espionage will be an issue that falls under this category. In the absence of sufficient state practice and opinio juris, customary international law does not prohibit espionage per se. However, the International Group of Experts concurred that the means employed to perform cyber espionage may at times be unlawful, thereby resulting in a violation of international law obligations of states, including respect for the principle of sovereignty.

With respect to cyber espionage[8] conducted by one state while physically present on the territory of the victim state, a majority of the experts felt that it would be in violation of sovereignty. On the other hand, remote cyber espionage despite its severity was concluded by the majority to not violate sovereignty.

This is problematic because some incidents of cyber espionage may result in severe consequences such as exfiltration of nuclear launch codes that can pose a serious threat. Therefore upholding the view that remote cyber espionage irrespective of the severity of its consequences does not violate sovereignty might not be ideal. Tallinn Manual 2.0 also fails to give a definite answer to whether cyber operations targeted against the online resources of terrorist organizations hosted on the infrastructure of a foreign state violates the territorial integrity of the state. This emphasizes the limitations of the adaptive process, and leads us to the value of independent norm-development processes such as the UN GGE.

The International Group of Experts unanimously agreed on the second ground for determination of violation of sovereignty even though they could not give a definite definition for “inherently governmental functions” which may again as a loophole for states engaging in cyber operations. Tallinn Manual 2.0 cited few examples that can be referred to, to understand what constitute inherently governmental functions- “delivery of social services, conduct of elections, collections of taxes, the effective conduct of diplomacy, and the performance of key national defense activities”.[9] Additionally the group also stated that an inherently governmental function could be performed either by the state or by a private party.

Tallinn Manual 2.0 has provided insights on the application of the principle of sovereignty in cyberspace. But it has not managed to give definitive answers on its application in various contexts. Therefore, sovereignty will definitely be up for future discussions.

Conclusion

The Tallinn Manual 2.0 affirms the application of existing framework of international law to cyberspace. It is strictly a compilation of the expression of opinions of the international group of experts and is therefore non-binding on the states. However, it can serve as a guide for international conversations on how international law applies to cyberspace. But there are still grey areas for which Tallinn Manual 2.0 cannot provide guidance, application of sovereignty in cyber space being one of them. States may choose to primarily focus on those areas and develop norms through state practice and opinio juris. In the absence of definite norms however, states will continue to play in this grey area without fear of rebuke.

 

[1] Restatements of international law in the context of cyberspace, which obtained unanimity amongst the International Group of Experts who drafted the Tallinn Manual.

[2] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 3 (Michael N. Schmitt gen. ed., 2017)

[3] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Michael N. Schmitt gen. ed., 2017)

[4] Oppenheim’s International Law 564 (Robert Jennings et al. eds., 9th ed. 2008).

[5] Island of Palmas Case (U.S. v. Netherlands), 2 Reports of International Arbitral Awards 838 (1928).

[6] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 17–27 (Michael N. Schmitt gen. ed., 2017).

[7] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 20–27 (Michael N. Schmitt gen. ed., 2017).

[8] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 168–174 (Michael N. Schmitt gen. ed., 2017).

[9] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 22 (Michael N. Schmitt gen. ed., 2017).

 

Biometric-based identification systems and democracy

In September, 2017, Scroll, in collaboration with the Centre for Communication Governance, published our data on biometric-based identification systems across the world, and their correlation with a country’s democratic record. Our data demonstrates a reciprocity between these factors:

“While examining whether countries were instituting these Aadhaar-like systems, researchers from the Centre noticed a trend wherein nations with strong biometric identity systems were less likely to have robust democratic governments…

…So they sought to map out their research, based on data collected primarily from countries within the Commonwealth, measured against their positions on Freedom House’s Freedom in the World index and the Economist Intelligence Unit’s Democracy index. The results show a cluster of nations with less freedoms also instituting a biometric system, while others higher up the democracy index do not have similar identity programmes.”

The original piece published on Scroll.in can be found here. Graphs representing the data set can be found below.

mglqgyqnnl-150666462168928-stesrxqzsh-1505904085

Update on Aadhaar hearing

In October 2015, a 3 judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of a fundamental right has been upheld, challenges against the Aadhaar programme are yet to be adjudicated upon.

Today, the Supreme Court decided on a date to continue hearing these challenges.

The Attorney General started off by addressing the orders passed and the Data Protection Committee’s pending report. He stated that they would prefer to argue the case in March, as mentioned previously.

At this point, the Chief Justice suggested hearing the matter in January.

Senior Advocate Gopal Subramaniam reiterated that 8 interim orders, related to Aadhaar linking, had been passed. He stated that if the hearing was to be held at a later date, the voluntary nature of such linking and a lack of compulsion had to be guaranteed.

Senior Advocate CA Sundaram appearing for the State of Maharashtra stated that regardless of an interim order or a final order, the case would still have to be argued. He also stated that the hearing should be held soon, since the matter had been in Court for a while.

The Chief Justice stated that a Constitution Bench would be constituted and the matter would be heard in the last week of November, 2017.

Update:  The deadline for linking Aadhaar with bank accounts is the 31st of December and the deadline for linking with mobile phones is the 6th of March. Contrary to media reports, this deadline has not been extended. 

In the event that the petition is not heard in November, the Court may issue interim orders to stay such linkings.  

 

An update on Sabu Mathew George vs. Union of India

Today, the Supreme Court heard the ongoing matter of Sabu Mathew George vs. Union of India. In 2008, a petition was filed to ban advertisements endorsing sex-selective abortions from search engine results. Advertisements endorsing sex selective abortions are illegal under Section 22 of the PNDT Act (The Pre-conception and Pre-natal Diagnostic Techniques Act), 1994 Act. Several orders have been passed over the last few years, the last of which was passed on April 13th, 2017. Following from these orders, the Court had directed the Centre to set up a nodal agency where complaints against sex selective ads could be lodged. The Court had also ordered the search engines involved to set up an in-house expert committee in this regard. The order dated April 13th stated that compliance with the mechanism in place would be checked hereinafter. Our blog posts covering these arguments and other issues relevant to search neutrality can be found here and here.

Today, the petitioners counsel stated that the nodal agency in question should be able to take suo moto cognisance of complaints, and not just restrict its functioning to the method prescribed previously. Currently, individuals can file complaints with the nodal agency, which will then be forwarded to the search engine in question. The relevant part from the order (16/11/16) is as follows:

“…we direct that the Union of India shall constitute a “Nodal Agency” and give due advertisement in television, newspapers and radio by stating that it has been created in pursuance of the order of this Court and anyone who comes across anything that has the nature of an advertisement or any impact in identifying a boy or a girl in any method, manner or mode by any search engine shall be brought to its notice. Once it is brought to the notice of the Nodal Agency, it shall intimate the concerned search engine or the corridor provider immediately and after receipt of the same, the search engines are obliged to delete it within thirty-six hours and intimate the Nodal Agency. Needless to say, this is an interim arrangement pending the discussion which we have noted herein-before…”

On the respondent’s side, the counsel stated that over the last few months, Microsoft had only received one complaint and Yahoo had not received any complaints, arguing that the nodal agency  would not have to take on a higher level of regulation. Further on the issue of suo moto cognisance, they stated that it would be untenable to expect a government agency to ‘tap’ into search results. As per the counsel, the last order had only contemplated checking with the compliance of the nodal agency system, and with constituting an expert committee, all of which had been established.

The petitioners stated that they would need more time and would suggest other measures for effective regulation.

The next hearing will take place on the 24th of November, 2017.